Campaign Identifier: Arsenal-237-109.230.231.37-Malware-Repository

Last Updated: January 12, 2026

EXECUTIVE SUMMARY (BLUF)

The Bottom Line

I have identified 16 malware samples across 7 comprehensive reports distributed from an open web directory at 109.230.231.37, representing a significant threat to organizations across all industries. This campaign combines remote access trojans (RATs), custom ransomware capabilities, multi-layer persistence mechanisms, and credential theft capabilities in a coordinated threat ecosystem that demonstrates organized cybercrime operations.

Analyst Note: The files themselves, naming, capabilities, distribution, and more make me think that this is a testing ground. From analyzing all the samples it strikes me as new tools or combinations of tools being developed or tested. More information can be found here enc/dec Ransomware Family (10 variants)

CRITICAL DISCOVERY: Custom Ransomware Toolkit

This repository contains a sophisticated 10-variant ransomware toolkit, representing a professionally developed capability that combines data theft with destructive impact.

Key Findings:

  • 10-variant ransomware family 5 encryptors and 5 decryptors
  • Custom ChaCha20+RSA-2048 hybrid cryptography (hand-coded implementation, NOT commodity ransomware)
  • Hardware-optimized encryption: Runtime CPU dispatcher selecting AVX-512/AVX2/SSE instruction sets for maximum performance
  • Professional R&D environment: Versioned builds (v2), testing utilities (test_gui, test_decryptor), per-victim key generation capability
  • Mathematically unbreakable encryption: Without attacker’s RSA-2048 private key, encrypted data is unrecoverable

Strategic Implications: This discovery demonstrates professionally developed destructive ransomware capabilities for financial gain or dual-use operations (exfiltrate data, then encrypt for ransom). Organizations face a dual threat: silent data exfiltration followed by sudden ransomware deployment eliminating recovery options through Volume Shadow Copy deletion.

WHAT I FOUND: This analysis fully examined 16 malware samples across 7 comprehensive reports selected from an open directory containing 38 malicious executables. All malware files were analyzed through automated means. The samples include sophisticated remote access trojans (Golang-compiled RAT, Xworm RAT versions 1 and 2.4.0), a 10-variant custom ransomware family (enc/dec toolkit), advanced persistence droppers (FleetAgentAdvanced, FleetAgentFUD), and privilege escalation tools (UAC bypass proof-of-concept). All Xworm variants share the same command-and-control infrastructure (IP: 109.230.231.37), indicating centralized threat actor operations. Critical findings include a professionally developed ransomware toolkit featuring custom ChaCha20+RSA-2048 cryptography with AVX-512 hardware optimization, and FleetAgentAdvanced.exe implementing quadruple-redundant persistence across Registry Run keys, Scheduled Tasks, and dual Startup folder shortcuts—designed to survive multiple cleanup attempts and ensure malware survival across system reboots.

BUSINESS IMPACT IF INFECTED: Successful infection enables threat actors to establish persistent remote access to compromised systems, harvest credentials (browser passwords, saved authentication tokens, session cookies), exfiltrate sensitive business data, deploy custom ransomware for total data loss, and use infected machines as pivot points for lateral movement across corporate networks. Organizations facing compromise should anticipate multi-day to multi-week incident response efforts requiring coordination across security, IT operations, legal, and compliance teams. Beyond the immediate technical compromise, organizations face:

  • Operational Disruption: Credential theft and data exfiltration incidents typically require intensive multi-day investigation to determine breach scope, followed by extended remediation periods for credential rotation, system rebuilds, and security control deployment. Ransomware deployment adds catastrophic impact: immediate business operation cessation, total data loss requiring attacker’s private key for recovery, and recovery elimination through Volume Shadow Copy deletion. Hardware-optimized encryption (AVX-512) enables rapid encryption of enterprise file servers—potentially encrypting terabytes within hours. Organizations without verified offline backups face complete data loss scenarios.

  • Compliance Obligations: Dual compliance impact from ransomware operations. Data exfiltration triggers mandatory breach notification requirements under regulations like GDPR (72-hour reporting window), HIPAA (60-day notification for healthcare data), and state-level privacy laws (CCPA, SHIELD Act). Organizations must assess whether Protected Health Information (PHI), Personally Identifiable Information (PII), or payment card data was compromised, potentially triggering customer notification obligations and regulatory scrutiny. Ransomware encryption adds permanent data loss notification requirements—unlike exfiltration where data remains in organizational control, encryption represents permanent data destruction requiring different regulatory handling.

  • Reputational Impact: Customer trust erosion following credential theft or data breach incidents results in measurable customer attrition, partner relationship strain, and competitive disadvantage in security-conscious markets. Organizations in regulated industries or those requiring security certifications may face procurement exclusions or contract compliance challenges. Ransomware incidents create public disclosure obligations (SEC 8-K filings for public companies, regulatory breach notifications) with significantly higher media visibility than credential theft incidents alone.

IMMEDIATE ACTIONS REQUIRED:

  1. BLOCK CRITICAL INFRASTRUCTURE: Add IP address 109.230.231.37 to firewall deny lists, web proxy blocklists, and DNS sinkhole configurations. This single network indicator appears across all Xworm RAT variants analyzed and represents the highest-confidence blocking opportunity.

  2. DEPLOY DETECTION SIGNATURES: Import provided YARA rules to endpoint detection platforms (EDR solutions, antivirus management consoles) and Sigma rules to SIEM platforms (Splunk, Elastic, Microsoft Sentinel). Detection packages are organized by malware sample with combined rulesets for rapid deployment. Priority: Deploy enc/dec ransomware family detection rules IMMEDIATELY (see enc/dec Ransomware Detection Package). See Hunting Detections section and individual report links in the Quick Reference Links below.

  3. HUNT FOR EXISTING INFECTIONS: Execute threat hunting procedures targeting persistence artifacts (Registry Run keys with “WindowsDefenderUpdate” or “Microsoft .NET Runtime Optimization” names), suspicious scheduled tasks (Microsoft-themed task names executing from %AppData% locations), ransomware executables (enc.exe, dec.exe, updated_enc.exe, test_gui_enc*.exe patterns), and network connections to 109.230.231.37. Detailed hunting queries provided in Quick Start Detection Guide below.

  4. VERIFY OFFLINE BACKUP INTEGRITY (CRITICAL FOR RANSOMWARE DEFENSE): Organizations must immediately verify offline backup systems are functional, disconnected from network (air-gapped or tape storage), and tested for restoration capability. The enc/dec ransomware family includes Volume Shadow Copy deletion capability, eliminating Windows built-in recovery options. Without verified offline backups, ransomware encryption results in permanent, mathematically unrecoverable data loss.

  5. VERIFY SYSTEM INTEGRITY (IF INFECTIONS FOUND): Organizations identifying confirmed infections must prioritize complete system rebuilds over cleanup attempts. The quadruple-redundant persistence mechanisms in FleetAgentAdvanced and dual-layer persistence in agent.exe are specifically designed to survive partial remediation, increasing residual risk of incomplete cleanup. If ransomware executables are detected, immediately isolate affected systems from network to prevent encryption spread. Detailed incident response procedures available in individual malware reports.

RISK ASSESSMENT:

  • CURRENT RISK (No Action): CRITICAL (8.5/10) - Open directory distribution model enables widespread opportunistic infections; professional-grade persistence mechanisms ensure long-term system compromise; centralized C2 infrastructure facilitates coordinated threat actor operations; custom ransomware capability presents catastrophic data loss risk with mathematically unrecoverable encryption; dual espionage + ransomware threat model (silent data exfiltration followed by destructive encryption).
  • RESIDUAL RISK (After Mitigation): LOW (2.3/10) - Network blocking eliminates C2 connectivity for Xworm variants; detection signatures enable identification of infections before persistence establishment; threat hunting removes existing compromises; system hardening prevents reinfection; offline backup verification provides ransomware recovery capability.

ASSESSMENT BASIS: This analysis represents comprehensive examination of seven publication-quality malware reports covering 16 samples selected from 38 executables in the open directory. Analysis methodology combined static analysis, dynamic behavioral monitoring, memory forensics, cryptographic reverse engineering (for ransomware family), and threat intelligence research. All technical findings verified across multiple independent analysis tools; confidence levels documented in individual reports.

Quick Reference: Malware Analysis Resources

Arsenal-237: Threat Actor R&D Repository Exposed

Each malware sample analyzed in this investigation has three companion resources: a comprehensive technical report with behavioral analysis and incident response guidance, a detection package with YARA/Sigma rules for hunting and prevention, and a machine-readable IOC feed in JSON format for SIEM/EDR ingestion.

agent.exe (Golang RAT): Technical Report Detection Package IOC Feed
agent_xworm.exe (XWorm RAT v6): Technical Report Detection Package IOC Feed
agent_xworm_v2.exe (XWorm RAT v2.4.0): Technical Report Detection Package IOC Feed
enc/dec Ransomware Family (10 variants): Technical Report Detection Package IOC Feed
FleetAgentAdvanced.exe (Multi-Persistence Dropper): Technical Report Detection Package IOC Feed
FleetAgentFUD.exe (WebSocket RAT): Technical Report Detection Package IOC Feed
uac_test.exe (UAC Bypass PoC): Technical Report Detection Package IOC Feed

Quick Facts Box

Category Details
Threat Infrastructure IP: 109.230.231.37 (C2 server + malware hosting)
Samples Analyzed 16 samples analyzed in 7 comprehensive reports (from directory with 38+ executables)
Malware Families Golang RAT, enc/dec Ransomware (10 variants), Xworm RAT v1/v2.4.0, FleetAgent WebSocket RATs
Publication Reports 7 comprehensive technical reports (linked below)
Detection Packages 7 hunting/detection guides (see Hunting Detections)
Overall Risk Rating CRITICAL (8.5/10) - Custom ransomware, dual espionage+destruction operations
Primary Capabilities Remote access, credential theft, data exfiltration, multi-layer persistence, custom ransomware (ChaCha20+RSA-2048)
Target Industries ALL SECTORS (opportunistic distribution model)
Analysis Period December 21, 2025 - Ongoing

Risk Categorization

CRITICAL Risk - Immediate Analysis Recommended

enc/dec Ransomware Family (10 variants) | Comprehensive Report Risk: CRITICAL | Capabilities: Custom ChaCha20+RSA-2048 encryption, AVX-512 hardware optimization, Volume Shadow Copy deletion, per-victim key generation Key Finding: Professional R&D environment with versioned builds, testing utilities, mathematically unbreakable encryption, and dual espionage+destruction operations capability

agent.exe - PoetRAT Malware | 34 KB Report Risk: CRITICAL | Capabilities: Process injection, dual persistence, extensive cryptography, credential theft potential Key Finding: Golang-compiled RAT with dormant C2, masquerading as Windows Defender service (WinDefenderSvc.exe)

HIGH Risk - Active C2 & Persistence Capabilities

agent_xworm.exe - Xworm RAT v1 | 21 KB Report Risk: HIGH | C2 Server: 109.230.231.37 | Capabilities: PowerShell execution, system reconnaissance Key Finding: Hardcoded C2 authentication token reveals centralized threat infrastructure

agent_xworm_v2.exe - Xworm RAT v2.4.0 | 27 KB Report Risk: HIGH | C2 Server: 109.230.231.37 | Protocol: WebSocket-based C2 Key Finding: Enhanced version with WebSocket protocol upgrade from TCP-based predecessor

FleetAgentAdvanced.exe - Multi-Persistence Dropper | 68 KB Report Risk: HIGH | Persistence Layers: 4 mechanisms | Dropped Payload: RuntimeOptimization.exe (27 KB) Key Finding: Quadruple-redundant persistence (Registry Run + Scheduled Task + 2x Startup LNK) deployed in 1.3 seconds

FleetAgentFUD.exe - WebSocket RAT | 53 KB Report Risk: HIGH | Size: 17.5 KB | Protocol: WebSocket with X-Agent-Secret header Key Finding: Lightweight FUD (Fully Undetectable) design with PowerShell-based post-exploitation capabilities

LOW Risk - Proof-of-Concept / Research Tool

uac_test.exe - UAC Bypass PoC | 46 KB Report Risk: LOW (2.1/10) | Type: Security research tool Key Finding: CMSTPLUA COM + Fodhelper UAC bypass techniques; detected admin privileges and self-terminated without execution

Campaign Summary

Analysis of 16 malware samples across 7 comprehensive reports from the open directory at 109.230.231.37 (containing 38 malicious executables) reveals a sophisticated, multi-tier threat ecosystem combining professional remote access trojans (RATs), custom ransomware capabilities, multi-layer persistence droppers, and proof-of-concept exploitation tools. The campaign demonstrates hallmarks of organized cybercrime operations: shared command & control infrastructure, diverse malware families coordinated through centralized infrastructure, and evasion-focused techniques including deceptive Microsoft-themed naming (“WinDefenderSvc.exe”, “Microsoft .NET Runtime Optimization”) designed to blend with legitimate system processes.

The most significant discovery is the enc/dec ransomware family, a professionally developed ransomware toolkit demonstrating sophisticated development practices. This 10-variant toolkit (5 encryptors, 5 decryptors) features custom ChaCha20+RSA-2048 hybrid cryptography with hardware-optimized encryption (AVX-512/AVX2/SSE runtime CPU dispatcher), per-victim key generation, and professional development indicators including versioned builds (enc_v2.exe, test_gui_enc_v2.exe) and testing utilities.

Technical Sophistication Spectrum

Technical sophistication varies significantly from the Golang compiled PoetRAT variant with extensive cryptographic capabilities (AES, ChaCha20, RSA) and process injection potential to the lightweight 17KB FleetAgentFUD.exe leveraging WebSocket-based C2 with custom authentication headers. Xworm RAT variants demonstrate maturity with hardcoded C2 authentication tokens (AgentSec_8hJ3kL6mN9pQ2rS5tU8vW1xY4zA7bC0d), PowerShell-based reconnaissance, and environment-aware activation (dormancy mechanisms) designed to evade automated sandbox detection systems.

Persistence Engineering Excellence

The most concerning finding is FleetAgentAdvanced.exe, implementing quadruple-redundant persistence:

  1. Registry Run Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft .NET Runtime Optimization
  2. Scheduled Task: \Microsoft\Windows\.NET Runtime Optimization executing at user logon
  3. Startup Folder LNK (User Profile): %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft .NET Runtime Optimization.lnk
  4. Startup Folder LNK (Common Startup): Duplicate shortcut in alternate Startup directory

All four mechanisms deployed within 1.3 seconds, demonstrating automated deployment. The malware immediately deleted the scheduled task XML configuration file after creation, hampering forensic analysis—an anti-forensic behavior indicating threat actors anticipating security response.

Network Infrastructure Patterns

Network analysis reveals all Xworm variants share the same C2 server (109.230.231.37), suggesting centralized threat actor infrastructure despite varied malware families. This infrastructure consolidation provides defenders with a high-value blocking opportunity—a single network indicator that neutralizes multiple malware families simultaneously. Dynamic analysis identified active persistence establishment in agent.exe and FleetAgentAdvanced.exe, while other samples exhibited dormant behavior—likely awaiting specific environmental conditions, time triggers, or successful C2 handshakes before activating full capabilities.

Analyst Assessment: Multiple technical indicators suggest this infrastructure serves as a testing environment for malware development. Unlike previous cases demonstrating extensive C2 obfuscation (dynamic assignments from pastebin sites, encryption), this repository uses static, sometimes hardcoded C2 addresses—consistent with development/QA operations rather than operational security-conscious deployment.

Additional Analysis: AutomatedReports Overview

Beyond the 6 comprehensive threat intelligence reports, 32 additional malware samples from the same open directory received automated static analysis through my custom built StaticTriage framework. These samples represent the broader threat ecosystem and provide context for the distribution infrastructure.

Sample Categories

Agent RAT Variants (8 samples):

  • agent_anycpu.exe, agent_dotnet.exe, agent_dotnet_slim.exe, agent_dotnet_v2.exe, agent_dotnet_v3.exe, agent_fw.exe, agent_fw_x64.exe, agent_mem_x64.exe
  • Common Characteristics: .NET-compiled RAT variants with DNS capabilities, mutex implementations, and varying compilation targets (AnyCPU, x86, x64, memory-only execution)
  • Threat Level: MEDIUM to HIGH - Same RAT family as comprehensive agent.exe analysis but different compilation configurations

FleetAgent Suite (6 samples):

  • FleetAgent_MemoryOnly.exe, FleetAgentAdvanced.exe, FleetAgentAdvanced_embedded.exe, FleetAgentEDR.exe, FleetAgentFUD.exe, FleetAgentFull.exe
  • Common Characteristics: Professional malware-as-a-service suite with specialized variants for different evasion scenarios (memory-only, EDR evasion, fully-undetectable builds)
  • Threat Level: HIGH to CRITICAL - Demonstrates threat actor toolkit diversity and operational maturity

Encryption/Decryption Utilities (10 samples):

  • Encryptors (5): enc.exe, enc_v2.exe, updated_enc.exe, enc_pervictim.exe, test_gui_enc_v2.exe
  • Decryptors (5): dec.exe, dec_fast.exe, dec_pc3.exe, dec_unique.exe, test_decryptor.exe
  • Common Characteristics: Professional ransomware toolkit with custom ChaCha20+RSA-2048 hybrid encryption, AVX-512 hardware optimization, and per-victim key generation capability
  • Threat Level: CRITICAL - Active ransomware deployment capability
  • Full Analysis: See enc/dec Ransomware Family comprehensive report

Test/Development Tools (2 samples):

  • test_nopass.exe, test_pass.exe
  • Common Characteristics: Testing utilities for authentication/password functionality, likely part of threat actor development/QA process
  • Threat Level: LOW - Development artifacts, not weaponized malware
  • Note: test_decryptor.exe and test_gui_enc_v2.exe moved to Encryption/Decryption Utilities section

XWorm RAT Variants (2 samples):

  • agent_xworm.exe, agent_xworm_v2.exe
  • Analysis: Covered in comprehensive threat intelligence reports (see agent-xworm-exe.md and agent-xworm-v2-exe.md)
  • Threat Level: HIGH - Active C2 infrastructure, PowerShell execution, multi-malware deployment

Specialized Utilities (4 samples):

  • ProtonVPN.exe, steal_browser.exe, uac_test.exe, agent.exe
  • ProtonVPN.exe: Legitimate VPN client or bundled/trojanized version (requires behavioral analysis for confirmation)
  • steal_browser.exe (8.09 MB): Large credential theft tool with extensive anti-analysis capabilities (debugger detection, VM detection, PowerShell integration)
  • uac_test.exe: UAC bypass proof-of-concept (covered in comprehensive report uac-test-exe.md)
  • Threat Level: VARIABLE - steal_browser.exe is CRITICAL for credential theft, ProtonVPN requires context, uac_test.exe is LOW risk

Key Findings from AutomatedReports

Infrastructure Insight: The presence of 32+ samples demonstrates this is not a single-purpose distribution point but a comprehensive threat actor toolkit repository. The diversity of malware families (RAT variants, ransomware components, credential stealers, testing tools) suggests:

  • Organized cybercrime operations with mature development processes (test builds, versioned releases)
  • Malware-as-a-Service (MaaS) infrastructure offering multiple tools for different attack scenarios
  • Threat actor versatility - Same infrastructure hosts initial access tools (RATs), privilege escalation (UAC bypass), credential theft (steal_browser), and impact tools (encryption utilities)

Detection Priority: While the 6 comprehensive reports cover the highest-priority active threats, organizations should remain vigilant for the broader sample set. Automated detection signatures (YARA, file hashes) for all 32 samples are available in the detection packages.

Automated Analysis: All 32 samples underwent my custom made StaticTriage automated analysis. Full reports will be made available as manual analysis of the data is done and if there are any high impact findings to note.

If anyone would like the raw data from these 32 samples after my automated static triage workflow was completed for further investigation let me know on LinkedIn, find my profile in the about me section.

Business Impact Analysis

Impact Scenarios by Likelihood

Scenario Likelihood Business Impact Explanation
Credential Theft & Account Compromise HIGH All analyzed RAT variants include credential harvesting capabilities (browser passwords, saved authentication tokens, session cookies). Successful credential theft enables unauthorized access to business systems, email accounts, financial platforms, and cloud services. Industry research indicates average time-to-detect for compromised credentials exceeds six months, during which secondary attacks using stolen credentials often cause greater damage than initial malware infection.
Data Exfiltration of Sensitive Business Data HIGH RAT capabilities enable file system access, screenshot capture, and clipboard monitoring—facilitating exfiltration of intellectual property, financial records, customer data, and strategic business documents. For regulated industries (healthcare, finance), data exfiltration triggers mandatory breach notification within 60-72 hours, resulting in regulatory scrutiny, potential enforcement actions, and extensive customer notification obligations.
Lateral Movement & Network-Wide Compromise MEDIUM-HIGH Credential theft combined with network reconnaissance capabilities (PowerShell-based domain enumeration, service discovery) enables attackers to pivot from initially infected workstations to servers, databases, and critical infrastructure. Enterprise environments with insufficient network segmentation face highest risk.
Persistent Backdoor Access (Long-Term) MEDIUM-HIGH Quadruple-redundant persistence mechanisms ensure malware survival across system reboots, Windows updates, and partial cleanup attempts. Organizations discovering infections months after initial compromise face expanded breach scope, increased remediation complexity, and heightened regulatory scrutiny.
Ransomware Deployment via Custom enc/dec Toolkit HIGH Critical finding: The same infrastructure hosts a professional 10-variant ransomware toolkit (enc/dec family). Remote access capabilities enable threat actors to deploy custom ChaCha20+RSA-2048 ransomware as secondary payload after establishing persistence and exfiltrating valuable data. Organizations face dual-extortion scenarios: threat to publish exfiltrated data combined with encryption of production systems. Hardware-optimized encryption (AVX-512) enables rapid file server encryption. Volume Shadow Copy deletion eliminates Windows built-in recovery. Without offline backups, data loss is mathematically unrecoverable.
Regulatory Penalties & Compliance Violations MEDIUM Data exfiltration involving personally identifiable information (PII), protected health information (PHI), or payment card data triggers regulatory compliance requirements under GDPR, HIPAA, PCI-DSS, and state privacy laws (CCPA, SHIELD Act). Organizations face mandatory breach notification obligations, regulatory audits, potential enforcement actions, and ongoing compliance monitoring.

Operational Impact Timeline (If Infection Confirmed)

Initial Response Phase (First 24 Hours):

  • Personnel Required: Incident response team, IT operations staff, executive leadership notification
  • Activities: Isolate infected systems, preserve forensic evidence, deploy network monitoring, initiate credential rotation for high-value accounts

Investigation Phase (Days 1-7):

  • Personnel Required: Forensic analysts, threat hunters, legal counsel, compliance officers
  • Activities: Memory forensics, log analysis, network traffic review, breach scope determination, regulatory notification assessment

Remediation Phase (Days 7-21):

  • Personnel Required: System administrators, security engineers, help desk support (increased staffing)
  • Activities: Complete system rebuilds, credential rotation (all users in affected departments), security control deployment (EDR, enhanced monitoring), policy updates

Enhanced Monitoring Phase (Days 21-90):

  • Personnel Required: Security operations center (SOC) analysts, threat intelligence team
  • Activities: Continuous monitoring for reinfection indicators, threat hunting for missed compromises, security control validation

Quick Start Detection Guide

IMMEDIATE ACTIONS (Deploy Within 24 Hours)

1. BLOCK CRITICAL NETWORK INFRASTRUCTURE

IP Address: 109.230.231.37
Priority: CRITICAL (P0)
Action: DENY/DROP all inbound and outbound connections
Scope: Firewall rules, web proxy blocklists, DNS sinkhole, IPS/IDS signatures

Implementation Commands:

Windows Firewall (PowerShell):

New-NetFirewallRule -DisplayName "Block Xworm C2 - 109.230.231.37" `
  -Direction Outbound -Action Block -RemoteAddress 109.230.231.37

Cisco ASA Firewall:

access-list BLOCK_MALWARE_C2 extended deny ip any host 109.230.231.37

Palo Alto Networks Firewall:

set address "Xworm-C2-109.230.231.37" ip-netmask 109.230.231.37/32
set rulebase security rules "Block-Xworm-C2" source any destination "Xworm-C2-109.230.231.37" action deny

2. DEPLOY ENDPOINT DETECTION SIGNATURES

Detection Package Locations:

3. EXECUTE THREAT HUNTING PROCEDURES

PowerShell - Registry Persistence Check:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" |
  Where-Object {
    $_.PSObject.Properties.Name -match "WindowsDefender|\.NET Runtime|WinDefender"
  } | Select-Object PSPath, PSChildName, *

Splunk SPL - Network Connection Hunt:

index=firewall OR index=proxy
  dest_ip="109.230.231.37"
  | stats count by src_ip, dest_port, action
  | where action="allowed"

HIGH-PRIORITY ACTIONS (Deploy Within 1 Week)

1. Deploy Complete Detection Packages

Each malware sample has a dedicated detection guide (see Hunting Detections section):

2. Establish Enhanced Monitoring

Configure SIEM correlation rules for behavioral patterns:

  • .NET processes spawning PowerShell child processes with -NoProfile -NonInteractive -WindowStyle Hidden flags
  • WebSocket connections from non-browser executables (10-30KB file sizes)
  • Scheduled task creation with task names containing “Microsoft” + execution paths in %AppData%
  • Registry Run key modifications with values pointing to %AppData% or %LocalAppData% executables

Indicators of Compromise (IOCs)

Network Indicators

Critical C2 Infrastructure:

IP Address: 109.230.231.37
Context: Command & Control server for Xworm RAT variants + malware hosting
Confidence: CONFIRMED (hardcoded in agent_xworm.exe and agent_xworm_v2.exe)

Authentication Tokens:

AgentSec_8hJ3kL6mN9pQ2rS5tU8vW1xY4zA7bC0d
Used by: agent_xworm.exe, agent_xworm_v2.exe

Network Protocol Indicators:

  • WebSocket (ws://) connections from non-browser processes
  • Custom HTTP header: X-Agent-Secret: [authentication_token]
  • Base64-encoded TCP traffic to external IPs
  • Long-lived connections with periodic heartbeat patterns (30-60 second intervals)

File Hashes

agent.exe (PoetRAT Malware - CRITICAL)

SHA-256: e7f9a29dde307afff4191dbc14a974405f287b10f359a39305dccdc0ee949385
SHA-1:   e0fe41acd28cae74d75fcbf2f9309ff523c0f36a
MD5:     b1d5e55b1c15b7cb839138625d9d2efa
Size:    4,825,088 bytes (4.7 MB)

WinDefenderSvc.exe (Dropped by agent.exe)

SHA-256: 4e856041018242c62b3848d63b94c3763beda01648d3139060700c11e9334ad1
Size:    4,825,088 bytes (4.7 MB)

agent_xworm.exe (Xworm RAT v1 - HIGH)

SHA-256: 0ec3fca58ef8f0d9f098cd749dd209fccda7cbf68c1eecf836668e5dabd6f3bc
SHA-1:   0102782950619820bbcd60efca256c907403cfb0
MD5:     9d963f85812fd02e382a48c41fc0387e
Size:    16,384 bytes (16 KB)

agent_xworm_v2.exe (Xworm RAT v2.4.0 - HIGH)

SHA-256: f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e
SHA-1:   7c624e0b11c817d516f9411972191c4627fd2e53
MD5:     4164a1945d8373255a5cb7e42f05c259
Size:    16,384 bytes (16 KB)

FleetAgentAdvanced.exe (Multi-Persistence Dropper - HIGH)

SHA-256: 172258e53b9506a7671deab25d2ad360cd833a4942609f1a4836d305ffe4578b
Size:    18,432 bytes (18 KB)
Dropped Payload: RuntimeOptimization.exe (27 KB)

RuntimeOptimization.exe (Dropped by FleetAgentAdvanced.exe)

SHA-256: 9fc6b69623133f5d6f1f4cda0ec4319300080c9bbaa0f88c93f01eeba84e80e7
Size:    27,648 bytes (27 KB)

FleetAgentFUD.exe (WebSocket RAT - HIGH)

SHA-256: 072ce701ec0252eeddd6a0501555296bce512a7b90422addbb6d3619ae10f4ff
Size:    17,920 bytes (17.5 KB)

uac_test.exe (UAC Bypass PoC - LOW)

SHA-256: 18da271868c434494a68937fa12cb302d37b14849c4c0fc1db4007ac13c5b760
Size:    285,184 bytes (278.5 KB)

Host-Based Indicators

File System Artifacts:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\WinDefenderSvc.exe
%LocalAppData%\Temp\.wd_installed
C:\Users\[username]\AppData\Roaming\Microsoft\CLR\RuntimeOptimization.exe
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft .NET Runtime Optimization.lnk

Registry Persistence Mechanisms:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdate
  Malware: agent.exe (PoetRAT malware)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft .NET Runtime Optimization
  Malware: FleetAgentAdvanced.exe

Scheduled Tasks:

Task Name: Microsoft\Windows\.NET Runtime Optimization
Action:    Execute RuntimeOptimization.exe from %AppData%\Microsoft\CLR\
Trigger:   At user logon
Malware:   FleetAgentAdvanced.exe

Process Indicators:

agent.exe → WinDefenderSvc.exe (dropped payload)
agent_xworm.exe → powershell.exe (reconnaissance)
agent_xworm_v2.exe (WebSocket connections)
FleetAgentAdvanced.exe → schtasks.exe (persistence creation)
FleetAgentFUD.exe → powershell.exe -NoP -NonI -W Hidden -Exec Bypass

Behavioral Indicators

Deceptive Naming Patterns:

  • Processes masquerading as Microsoft services: “WinDefenderSvc.exe”, “Microsoft .NET Runtime Optimization”
  • Executables in user directories (%AppData%, Startup folders) with system-themed names
  • Non-Microsoft-signed binaries claiming Windows Defender or .NET Framework affiliation

Rapid Persistence Deployment:

  • All 4 FleetAgentAdvanced persistence mechanisms created within 1.3 seconds
  • Immediate task.xml deletion after scheduled task creation (anti-forensics)
  • Dual persistence in agent.exe (Registry Run + Startup folder) deployed simultaneously

PowerShell Execution Patterns:

# Reconnaissance Commands
Get-Process | Select-Object Name, Id, Path
Get-Service | Select-Object Name, Status, StartType
(Get-WmiObject Win32_ComputerSystem).Domain

Detection & Intelligence Resources

Each of the six detailed threat reports includes comprehensive detection and intelligence resources:

Per-Sample Resources

MITRE ATT&CK Mappings: Comprehensive TTP coverage across 14+ ATT&CK techniques per sample

YARA Rules: File-based detection signatures enabling hash-independent detection

Sigma Rules: Behavioral detection rules for SIEM platforms (Splunk, Elastic, Microsoft Sentinel)

Network Signatures: Suricata/Snort IDS rules for C2 traffic detection

Hunting Queries: PowerShell scripts, Splunk SPL queries, KQL queries for Microsoft Defender ATP

Timeline Analysis: Second-by-second execution chronology showing malware behavior progression

Confidence Levels

Finding Category Confidence Level Verification Method
IOC Accuracy HIGH Confirmed via static + dynamic + memory analysis triangulation
Network Indicators (Xworm) CONFIRMED Hardcoded C2 IP in static strings + active connection attempts in FakeNet-NG logs
Network Indicators (agent.exe/FleetAgent) DORMANT C2 infrastructure present in code but no active connections during analysis window
Persistence Mechanisms VERIFIED Autoruns baseline comparison: 4 new entries (FleetAgentAdvanced), 2 entries (agent.exe)
Detection Signatures TESTED YARA, Sigma, network signatures validated against samples + clean system (zero false positives)

Strategic Implications

This campaign demonstrates several concerning trends in contemporary threat landscapes:

1. Professional Ransomware Development (CRITICAL FINDING): The discovery of this custom ransomware toolkit demonstrates professional malware development practices with destructive capabilities for financial gain or dual-use scenarios. Organizations face a threat paradigm of silent operations followed by catastrophic ransomware deployment that eliminates forensic evidence and recovery options. The custom cryptographic implementation (ChaCha20+RSA-2048 with AVX-512 optimization) demonstrates significant R&D investment—this is NOT opportunistic commodity ransomware but a professional, purpose-built capability.

2. Commoditization of Advanced Capabilities: Remote access trojan functionality, WebSocket-based C2 protocols, and multi-layer persistence mechanisms are now accessible via open directories, dramatically lowering barriers to entry for less sophisticated threat actors.

3. Shared Infrastructure Patterns: Multiple distinct malware families sharing C2 infrastructure (109.230.231.37) suggests centralized threat operations or malware-as-a-service (MaaS) business models. Infrastructure-based blocking provides outsized defensive value—a single network indicator neutralizes multiple threat families simultaneously.

4. Evasion-First Design Philosophy: Deceptive Microsoft-themed naming conventions, anti-forensic behaviors (immediate task.xml deletion), and environment-aware dormancy mechanisms indicate threat actors prioritizing stealth and long-term persistence over immediate impact.

5. Persistence Engineering Excellence: FleetAgentAdvanced’s quadruple-redundant persistence architecture demonstrates threat actors anticipating partial remediation efforts and designing survival mechanisms accordingly. Complete system rebuild recommended over incremental cleanup for HIGH-risk malware.

6. Professional R&D Infrastructure: The presence of versioned builds (enc_v2.exe), testing utilities (test_decryptor.exe, test_gui_enc_v2.exe), and per-victim key generation tools (enc_pervictim.exe) demonstrates a mature development process with quality assurance testing—hallmarks of organized, well-resourced threat operations rather than ad-hoc criminal activity.

Sample Selection Methodology

From the 38 executables in the open directory, 16 samples were selected for comprehensive analysis across 7 detailed reports based on:

  1. Malware family diversity (Golang RAT, enc/dec ransomware family, Xworm RAT, FleetAgent variants)
  2. Capability variation (RATs, ransomware toolkit, persistence droppers, privilege escalation tools)
  3. Risk categorization (CRITICAL, HIGH, and LOW risk samples)
  4. Technical sophistication (professional-grade custom cryptography to proof-of-concept tools)

Quality Assurance

Multi-Stage Validation:

  • Static analysis → Dynamic analysis → Memory forensics (three independent analysis methodologies)
  • Cross-tool verification: IOCs validated across YARA, CAPA, Volatility, Autoruns, PEStudio
  • Behavioral timeline verification: Process trees from Volatility 3 matched against Procmon execution logs
  • Detection signature testing: YARA rules tested against samples (100% detection) + clean systems (zero false positives)

Important Notes:

  • The presence of malware samples in an open directory does not imply the hosting provider’s awareness or complicity
  • IP address 109.230.231.37 should be blocked via firewall rules, but network operators should verify legitimate use cases before implementing blocks
  • Detection signatures may require tuning for specific environments to minimize false positives
  • Organizations discovering infections should consult with qualified incident response professionals before remediation
  • This analysis represents findings as of January 2026; threat actors may modify infrastructure, update malware capabilities, or change tactics over time

License

© 2026 Joseph. All rights reserved. Free to read, but reuse requires written permission.