Inferlume

CVE-2026-0300: UNAUTHENTICATED ROOT RCE IN PAN-OS CAPTIVE PORTAL

Attack mechanism:

• Vulnerability type: Buffer overflow in the User-ID Authentication Portal (Captive Portal) service of PAN-OS.

• Attack vector: Network, unauthenticated, no user interaction required.

• The attacker sends specially crafted packets to the exposed Captive Portal service. The buffer overflow condition redirects execution flow to attacker-controlled code, resulting in arbitrary code execution with root privileges on the host firewall.

• Root compromise of a perimeter firewall bypasses all downstream network controls. Traffic inspection, access control policies, and VPN tunnel confidentiality are all undermined from the device's own vantage point.

Affected versions:

Not affected: Cloud NGFW, Prisma Access.

Exploitability context:

• CVSS 9.3 when Captive Portal is accessible from untrusted networks or the internet.

• CVSS 8.7 when access is restricted to trusted internal IPs only.

• No publicly known proof-of-concept exploit code identified in consulted sources.

• Exploitation described as limited in-the-wild activity. Attack surface will widen as awareness grows before the May 13 patch window opens.

• Patch status: Unpatched as of May 7, 2026. Vendor patch release targeted for May 13, 2026.

• Threat actor: Under Attribution.

• Sector exposure: All sectors operating PA-Series or VM-Series firewalls with Captive Portal enabled and internet-facing.

• Geographic exposure: [INSUFFICIENT SOURCE DATA — global scope implied by device ubiquity; no regional targeting confirmed in consulted sources.]

MUDDYWATER / CHAOS: STATE-SPONSORED INTRUSION MASQUERADING AS RANSOMWARE

Full attack chain (source: Rapid7, 2026-05-06):

• Step 1 — Initial Access: Threat actor initiates one-on-one Microsoft Teams chats with targeted employees from attacker-controlled external accounts, establishing screen-sharing sessions.

• Step 2 — Credential Harvest: During screen-sharing, employees instructed to enter credentials into locally created text files (credentials.txt, cred.txt). Browser artifacts confirm access to hxxps://adm-pulse[.]com/verify.php, a Quick Assist impersonation phishing page.

• Step 3 — MFA Manipulation: MFA configurations modified interactively during the Teams session to add attacker-controlled devices, enabling persistent authenticated access that survives password resets.

• Step 4 — Initial Foothold: Attacker authenticates to internal systems including Domain Controllers using compromised credentials. RDP sessions established.

• Step 5 — Persistence via Remote Access Tools: DWAgent and AnyDesk downloaded and installed as Windows services (dwagsvc.exe), providing persistent remote access independent of the subsequent malware chain.

• Step 6 — Payload Staging: ms_upd.exe downloaded via curl from 172.86.126[.]208:443/ms_upd.exe, saved to C:\ProgramData\ms_upd.exe and executed.

• Step 7 — C2 Registration: ms_upd.exe collects computer name, username, and domain. Generates a unique client ID (computer name + username + tick count). Sends a /register request to moonzonet[.]com and awaits an approved status response.

• Step 8 — Secondary Stage Delivery: ms_upd.exe downloads three components from moonzonet[.]com: Game.dll (saved as WebView2Loader.dll), Game.exe, and Game.config (saved as visualwincomp.txt) into the user's Downloads folder or C:\Users\Public\Downloads. Executes Game.exe, reports execution status, then self-deletes via cmd.exe /c ping 127.0.0.1 -n 6 > nul && del /f /q.

• Step 9 — RAT Deployment: Game.exe establishes C2 to uploadfiler[.]com:443, polls /index.php every 60 seconds, and provides full remote shell capability across 12 commands: run_cmd, run_powershell, upload, upload_chunk, delete_file, cmd_start, cmd_input, cmd_stop, ps_start, ps_input, ps_stop, re_register.

• Step 10 — Lateral Movement: Compromised accounts used for RDP-based movement between systems including Domain Controllers.

• Step 11 — Exfiltration: Data exfiltrated over Game.exe C2 channel to /profile endpoint. Victim subsequently contacted via email with a .onion ransom negotiation link.

• Step 12 — False Flag: Chaos DLS entry created with a countdown timer. No file encryption executed. Absence of encryption is the primary indicator distinguishing this operation from a genuine ransomware attack.

Key technical divergence from genuine ransomware: A genuine RaaS operator does not deploy remote management tools, a custom RAT, and a full lateral movement chain without encrypting files. The espionage objective of persistence, data collection, and long-term access is structurally incompatible with destructive ransomware deployment.

ms_upd.exe technical profile:

• Collects host telemetry and registers with C2 before proceeding.

• No obfuscation; strings are plaintext. API imports statically resolved.

• Self-deletes after delivering Game.exe. Likely single-use or limited-deployment tool.

• Designed to leave minimal forensic footprint once the RAT is operational.

Game.exe technical profile (WebView2 masquerade):

• Trojanized Microsoft WebView2APISample open-source project. PDB path confirms developer modified the official Microsoft repository.

• Anti-analysis checks: sandbox DLL detection (sbiedll.dll, dbghelp.dll, api_log.dll, vmcheck.dll, wpespy.dll), VM CPU keyword detection (Virtual, VMWare, KVM, Hyper-V), sleep and timing checks to detect time-skipping sandboxes.

• Persistence: self-installs into randomized C:\ProgramData\visualwincomp-[random]\ directory. Registers mutex ATTRIBUTES_ObjectKernel to enforce single execution instance.

• Configuration: AES-256-GCM encrypted config file (visualwincomp.txt) decrypted at runtime to extract C2 host and port.

• C2 beaconing: polls /index.php every 60 seconds. Registration data including computer name, username, and privilege level sent to /home endpoint.

• Obfuscation inconsistency: XOR encoding (key 0xAB) applied to anti-analysis strings only. RAT command strings, file paths, and JSON registration formats left in plaintext, providing rich static detection surface.

• Dynamic API resolution via LoadLibraryA/GetProcAddress used to obscure imported functionality from static analysis tools.

Infrastructure fingerprint:

Attribution anchors:

• Certificate thumbprint B674578D4BDB24CD58BF2DC884EAA658B7AA250C ("Donald Gay" / "Microsoft ID Verified CS AOC CA 02") is a confirmed MuddyWater shared resource, previously used to sign Stagecomp/Darkcomp backdoor variants. Time-invalid; revoked shortly after deployment.

• moonzonet[.]com independently linked to MuddyWater activity in early 2026.

• Tradecraft alignment with Operation Olalampo (March through April 2026 MuddyWater campaign) including Microsoft Teams social engineering and pythonw.exe proxy execution.

• Attribution confidence: Moderate. Second independent corroborating source not present in this source window.

Sector exposure: US construction, manufacturing, business services per Chaos DLS victim profile. Iranian targeting patterns extend to government and critical infrastructure sectors globally.
Geographic exposure: United States, Israel, MENA, Western Europe.

CVE-2026-41940: CPANEL/WHM MASS EXPLOITATION AND SORRY RANSOMWARE

• Vulnerability: Critical flaw in cPanel and WHM. Exact vulnerability class not confirmed in consulted sources beyond characterization as critical. CVSS score not published in consulted sources.

• Exploitation: Mass exploitation confirmed. Shadowserver estimates more than 550,000 servers remain potentially exposed.

• Observed post-exploitation activity: Website compromises, ransomware notes, and file encryption associated with the Sorry ransomware family.

• Patch status: Patch availability and version details not confirmed in consulted sources. Treat as requiring immediate action pending vendor advisory.

• No CISA KEV listing confirmed for this CVE in the current source window.

• Threat actor: Under Attribution.

• Sector exposure: All sectors operating internet-facing cPanel/WHM web hosting environments.

• Geographic exposure: [INSUFFICIENT SOURCE DATA — mass exploitation implies global scope.]

CISA KEV CLUSTER: SIMPLEHELP, SAMSUNG MAGICINFO, D-LINK DIR-823X

Federal deadline: May 8, 2026. CISA urges all organizations, not only FCEB agencies, to treat these as high-priority remediation items.

GRASSMARLIN CVE-2026-6807 AND IRANIAN OT PROBING

• CVE-2026-6807 (GrassMarlin): Insufficiently hardened XML parsing enabling XML External Entity-style attacks via crafted session files. A user tricked into opening a malicious session file may trigger sensitive data disclosure. GrassMarlin is an NSA-developed network-mapping tool for ICS and SCADA environments that went end-of-life in 2017. No patch will be issued. CISA recommends isolation from untrusted networks and avoidance of untrusted session files.

• Iranian OT probing (CISA joint advisory): Iranian-affiliated actors are actively probing and exploiting internet-connected OT devices, specifically Rockwell/Allen-Bradley PLCs, across US critical infrastructure sectors including energy, water, healthcare, and manufacturing. Confirmed instances of operational disruption and financial loss reported. Stryker (medical device manufacturer) cited in consulted sources as an illustrative example of Iran-linked attack impact on industrial and healthcare environments; independent confirmation of this specific attribution not available beyond secondary source reporting.

• Recommended immediate actions for OT operators: Verify GrassMarlin is isolated from untrusted networks; confirm PLCs and critical OT devices are not directly internet-accessible; review firewall rules and remote access paths for ICS/OT segments; cross-reference CISA advisory IOCs against OT network logs.

STRATEGIC THREAT CONTEXT

• Fortinet 2026 Global Threat Landscape report: 7,831 confirmed ransomware victims in 2025 versus approximately 1,600 the prior year, a 389 percent increase. AI-assisted crimeware tooling (WormGPT, FraudGPT, BruteForceAI) is credited with lowering operator skill barriers and accelerating the cybercrime supply chain.

• Time-to-exploit compression: For critical outbreaks, TTE has compressed to approximately 24 to 48 hours after disclosure, compared to a previously reported average of 4.76 days. The CVE-2026-41940 mass exploitation pattern is consistent with this trend.

• US ransomware ecosystem density: 53 distinct ransomware groups claimed US victims in January through February 2026 alone. Top operators during this period included Qilin, Akira, Clop, INC Ransom, Play, DragonForce, and Sinobi. Shared tooling, infrastructure patterns, and victimology increase the likelihood of repeated targeting of the same sectors and organizations.

• Manufacturing, business services, and retail are the most frequently targeted sectors globally per Fortinet data. These align directly with both the Chaos DLS victim profile and the broader ransomware ecosystem trends observed this week.

27 OPERATIONAL RESPONSE

Two parallel operational tracks are required today. The first addresses emergency perimeter device mitigation for CVE-2026-0300 and the KEV deadline cluster. The second addresses full APT-level re-scoping for any organization that has experienced Chaos-branded ransomware contact in 2026. All other actions flow from these two priorities.

PRIORITY ONE: CVE-2026-0300 PAN-OS ZERO-DAY (ACT NOW, PATCH MAY 13)

Containment actions:

• Identify all PAN-OS PA-Series and VM-Series firewalls in the estate immediately.

• For each device, determine whether the User-ID Authentication Portal (Captive Portal) is enabled and accessible from untrusted networks or the internet.

• Disable internet-facing and untrusted-network access to the Captive Portal immediately. If Captive Portal is not operationally required, disable it entirely.

• Restricting portal access to trusted internal IP ranges reduces CVSS from 9.3 to 8.7 and materially reduces active exploitation risk per vendor guidance.

• Confirm PAN-OS versions against the affected version table. If unpatched and portal cannot be restricted, initiate emergency change control.

Hardening actions:

• Apply workaround per Palo Alto Networks advisory: restrict User-ID Authentication Portal to trusted zones only or disable the service where not required.

• Patch as soon as May 13, 2026 fixes are released. Prioritize PAN-OS 12.1, 11.2, 11.1, and 10.2 branches. Schedule emergency change window now.

• Enable detailed logging on the Captive Portal service to capture any reconnaissance or exploitation activity predating the patch window.

• Review firewall logs for anomalous or unexpected inbound connections to the User-ID Authentication Portal from external IPs going back at least seven days.

Internal coordination:

• Network and firewall engineering: immediate configuration review and portal restriction deployment.

• Vulnerability management: track CVE-2026-0300 for May 13 patch release and hold emergency change window.

• SOC: enable alerts for anomalous traffic to Captive Portal ports and endpoints.

• If exploitation is suspected: initiate IR process, preserve firewall logs, and contact Palo Alto Networks PSIRT.

PRIORITY TWO: MUDDYWATER / CHAOS FALSE FLAG (RE-SCOPE ALL 2026 CHAOS ENGAGEMENTS)

Containment actions:

• If your organization received any Chaos ransomware contact, extortion message, or DLS listing in 2026, immediately re-scope the IR engagement. Do not treat as closed. Search for DWAgent, AnyDesk, and RAT artifacts before concluding remediation.

• Audit all active Microsoft Teams external chat sessions and external guest accounts. Disable external Teams chat if not operationally required.

• Revoke all credentials that may have been exposed via Teams screen-sharing sessions. Force MFA re-enrollment for all accounts, removing any unrecognized MFA devices.

• Hunt for persistence artifacts: dwagent.exe, dwagsvc.exe, dwaglnc.exe, AnyDesk.exe, Game.exe, WebView2.exe, ms_upd.exe, and visualwincomp.txt in C:\ProgramData\ directories across all managed endpoints.

• Block all IOC domains and IPs at perimeter and DNS: moonzonet[.]com, uploadfiler[.]com, adm-pulse[.]com, 172.86.126[.]208, 77.110.107[.]235, 93.123.39[.]127, 116.203.208[.]186.

Hardening actions:

• Restrict or disable Microsoft Teams external chat (anonymous external message requests from outside the tenant).

• Deploy or tune DLP alerting on creation of credential-named files (credentials.txt, cred.txt) in user Desktop, Documents, and Downloads paths.

• Audit remote management tool installations across all endpoints. Flag any unsigned or unrecognized DWAgent or AnyDesk installations, particularly from C:\ProgramData.

• Review RDP access logs for unexpected lateral movement to Domain Controllers.

• Run IOC-based sweeps using published SHA-256 hashes against EDR, endpoint inventory, and proxy/DNS logs within 24 hours.

Internal coordination:

• Identity and IAM team: emergency MFA device audit and re-enrollment for any accounts connected via Teams to external parties.

• SOC: activate hunting hypotheses for DWAgent persistence and pythonw.exe proxy execution.

• IR team: if DWAgent or Game.exe artifacts found, treat as full APT-level compromise, not ransomware. Engage threat intelligence capability.

• Legal and compliance: if data exfiltration confirmed, initiate breach notification review per applicable frameworks (GDPR, DPDP, HIPAA, NIS2 depending on sector and region).

• External communications: do not engage ransom negotiation channels without IR leadership sign-off, as doing so may alert the threat actor to active investigation.

PRIORITY THREE: CISA KEV DEADLINE MAY 8 (FINAL 24 HOURS)

• SimpleHelp: Apply patch for CVE-2024-57726 (CVSS 9.9) and CVE-2024-57728 immediately. SimpleHelp exploitation enables unauthorized access to all endpoints managed through the platform.

• Samsung MagicINFO 9: Upgrade to version 21.1050 or later for CVE-2024-7399 (CVSS 8.8). The flaw enables arbitrary file write as SYSTEM authority.

• D-Link DIR-823X: This device is end-of-life. No patch will ever be issued for CVE-2025-29635. Immediately discontinue use and replace with a supported device. This is the only compliant mitigation.

PRIORITY FOUR: CVE-2026-41940 CPANEL/WHM (TREAT AS ACTIVE EXPLOITATION UNDERWAY)

• Organizations operating internet-facing cPanel/WHM environments should assume active scanning and opportunistic exploitation is underway now.

• Restrict exposure through network-level controls and enforce strong authentication on administrative interfaces immediately pending vendor patch availability.

• Monitor for anomalous administrative actions, new account creation, unexpected file changes, and webshell-like behavior in web-accessible directories.

• Threat hunt focus: unauthorized cron jobs, new scheduled tasks, suspicious outbound connections, and anomalous changes in web content or file shares.

PRIORITY FIVE: OT ENVIRONMENTS AND GRASSMARLIN (FOR ICS/OT OPERATORS)

• Verify GrassMarlin, if still in use, is fully isolated from untrusted networks. Ensure staff are aware of the risk of opening untrusted session files.

• Confirm that PLCs (particularly Rockwell/Allen-Bradley) and all other critical OT devices are not directly reachable from the internet.

• Conduct immediate review of remote access paths, firewall rules, and monitoring coverage around ICS/OT network segments.

• Cross-reference CISA advisory IOCs for Iranian OT probing against OT network logs and historian access records going back 30 days.

PRIORITY ORDER SUMMARY

28 INCIDENT TIMELINE

CVE-2026-0300 (PAN-OS Captive Portal RCE):

• Early May 2026 (exact date not confirmed in consulted sources): Limited in-the-wild exploitation of CVE-2026-0300 begins, targeting internet-exposed User-ID Authentication Portals on PA-Series and VM-Series firewalls.

• 2026-05-04: Palo Alto Networks publishes security advisory for CVE-2026-0300, confirming buffer overflow in Captive Portal service. Patches committed for May 13, 2026.

• 2026-05-05: The Hacker News, SecurityWeek, watchTowr, and HelpNetSecurity report on the vulnerability and active exploitation. watchTowr confirms no patches available.

• 2026-05-07 (report date): Status: Unpatched. Active exploitation confirmed. Patch target date May 13, 2026.

MuddyWater / Chaos False Flag Operation:

• February 2025: Chaos RaaS group becomes active. Rapid7 assesses it likely includes former BlackSuit and Royal ransomware members following Operation Checkmate (law enforcement disruption of BlackSuit infrastructure, July 2025).

• Early 2026 (exact date not confirmed in consulted sources): MuddyWater-attributed intrusion begins. Threat actor initiates Microsoft Teams external chat sessions with targeted employees. Screen-sharing used to harvest credentials and manipulate MFA.

• Early 2026 (post initial access): DWAgent and AnyDesk deployed as persistent services. RDP sessions established to Domain Controllers. ms_upd.exe downloaded from 172.86.126[.]208:443 via curl.

• Early 2026 (post foothold): Game.exe RAT deployed. C2 established to uploadfiler[.]com:443. Data exfiltration initiated. Victim contacted via email with .onion ransom negotiation link. Chaos DLS entry created with countdown timer. No file encryption executed.

• Late March 2026: Chaos DLS shows 36 claimed victims.

• 2026-05-06: Rapid7 publishes full technical report "Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware." Report includes IOCs, YARA rules, Game.exe malware analysis, MITRE ATT&CK mapping, and certificate attribution anchor.

• 2026-05-07 (report date): Status: Rapid7 report in active dissemination. IOCs published. Attribution moderate confidence. Second independent corroborating source pending.

CISA KEV Cluster:

• 2026-04-24 through 2026-04-25: CISA adds CVE-2024-57726, CVE-2024-57728, CVE-2024-7399, and CVE-2025-29635 to KEV catalog. Federal remediation deadline set for May 8, 2026.

• 2026-05-07 (report date): Status: Deadline expires in less than 24 hours. D-Link device has no patch; discontinuation is the only compliant mitigation.

CVE-2026-41940 / Sorry Ransomware:

• 2026-05-06: BleepingComputer reports mass exploitation of CVE-2026-41940 in cPanel/WHM. Shadowserver exposure estimate of 550,000 servers published. Sorry ransomware deployment confirmed in observed post-exploitation activity.

• 2026-05-07 (report date): Status: Mass exploitation ongoing. No CISA KEV listing or T1-weight advisory confirmed in consulted sources. Single primary source for technical detail.

Papua New Guinea Magisterial Service:

• Reported within the 24-hour window: Gentlemen ransomware group claims intrusion and threatens release of judicial data. Intrusion date and vector not confirmed in consulted sources.

MediaWorks Hungary:

• Reported within the 24-hour window: World Leaks group publishes 8.5 TB of exfiltrated data. MediaWorks confirms the incident. Intrusion date and technical vector not confirmed in consulted sources.

GrassMarlin CVE-2026-6807:

• 2026-04-29: CISA publishes advisory for CVE-2026-6807. No patch available; tool is end-of-life since 2017.

Iranian OT Probing:

• April 2026: CISA and US federal partners publish joint advisory on Iranian-affiliated OT targeting activity. Ongoing activity confirmed at report date.

29 TECHNICAL ANALYSIS

CVE-2026-0300: TECHNICAL DETAIL

• Vulnerability class: Stack or heap buffer overflow (exact memory region not confirmed in consulted sources) in the User-ID Authentication Portal service of PAN-OS.

• Trigger condition: Specially crafted packets sent to the Captive Portal service endpoint. No authentication, no user interaction, no prior foothold required.

• Impact: Arbitrary code execution with root privileges on the affected PA-Series or VM-Series firewall host.

• CVSS vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS 9.3 for internet-exposed configuration). Restricted to trusted IPs: CVSS 8.7.

• CWE classification: [NOT CONFIRMED IN CONSULTED SOURCES]

• Exploitation evidence: Described as limited in-the-wild activity by Palo Alto Networks. No further forensic detail, no IOCs, and no post-exploitation artifacts published in consulted sources within this window.

• PoC availability: No publicly known proof-of-concept exploit code identified in consulted sources.

• Patch status: Unpatched as of May 7, 2026. Fixes targeted for May 13, 2026.

MUDDYWATER / CHAOS: MALWARE TECHNICAL DETAIL

ms_upd.exe (Initial Downloader):

• Function: Collects host telemetry, registers with C2, downloads and executes the Game.exe RAT, then self-deletes.

• Telemetry collected: Computer name, username, domain. Client ID generated as computer name + username + tick count.

• C2 protocol: HTTP requests to moonzonet[.]com via /register (registration) and /check (status polling) endpoints.

• Self-deletion mechanism: cmd.exe /c ping 127.0.0.1 -n 6 > nul && del /f /q [path]

• Obfuscation: None. Strings are plaintext. API imports statically resolved.

• Likely designed as a single-use staging tool to minimize forensic footprint.

Game.exe (Custom RAT, WebView2 Masquerade):

• Origin: Trojanized Microsoft WebView2APISample open-source project. PDB path retained, confirming developer modified the official repository rather than writing from scratch.

• Masquerade: Presents as a legitimate Microsoft WebView2 application to casual inspection.

• Anti-analysis and evasion:

• Persistence: Self-installs into C:\ProgramData\visualwincomp-[random]\ directory. Designed to blend with legitimate ProgramData entries.

• Configuration decryption: AES-256-GCM encrypted configuration file (visualwincomp.txt) decrypted at runtime to extract C2 host (uploadfiler[.]com) and port (443).

• C2 registration: Sends computer name, username, and privilege level to /home endpoint. Polls /index.php every 60 seconds.

• Supported RAT commands:

• Exfiltration: Command results and status data reported to /profile endpoint over the same HTTPS-mimicking channel.

• Obfuscation inconsistency: XOR encoding (key 0xAB) applied only to anti-analysis strings. All RAT command names, file path strings, and JSON registration keys left in plaintext, providing a rich and reliable static detection surface.

• Dynamic API resolution: LoadLibraryA and GetProcAddress used to resolve certain API imports at runtime, obscuring some functionality from basic static import analysis.

Code-signing certificate detail:

CISA KEV CLUSTER: TECHNICAL DETAIL

CVE-2026-41940 (CPANEL/WHM): TECHNICAL DETAIL

• Vulnerability class: Described as critical in consulted sources. Exact vulnerability mechanism (injection, traversal, overflow, authentication bypass) not confirmed in consulted sources within this window.

• Exploitation scale: Shadowserver estimates more than 550,000 internet-facing servers remain potentially exposed.

• Post-exploitation observed: Website defacement, ransomware notes, file encryption associated with Sorry ransomware family.

• Patch details: [NOT CONFIRMED IN CONSULTED SOURCES]. Treat as requiring immediate vendor advisory review.

GRASSMARLIN CVE-2026-6807: TECHNICAL DETAIL

• Vulnerability class: Insufficiently hardened XML parsing enabling XML External Entity (XXE)-style attacks.

• Trigger: User opens a crafted GrassMarlin session file received from an untrusted source.

• Impact: Sensitive data disclosure from the analyst's system. Potential to exfiltrate network topology data, ICS device inventories, or other sensitive mapping artifacts produced by GrassMarlin.

• Patch: None available. Tool is end-of-life since 2017.

• Mitigation: Isolate from untrusted networks; do not open untrusted session files; consider decommissioning in favor of supported alternatives.

30 IOC AND INFRASTRUCTURE

All confirmed IOCs in this report originate from the MuddyWater / Chaos false-flag cluster and were published by Rapid7 on May 6, 2026. No IOCs have been published in consulted sources for CVE-2026-0300, CVE-2026-41940, the Papua New Guinea incident, the MediaWorks incident, or the Iranian OT probing advisory.

FILE HASHES (SHA-256):

NETWORK INDICATORS:

ONION ADDRESS (do not access):
hptqq2o2qjva7lcaaq67w36jihzivkaitkexorauw7b2yul2z6zozpqd[.]onion — Chaos RaaS dark leak site negotiation address

CERTIFICATE:

INFRASTRUCTURE BEHAVIORAL PATTERNS:

• Game.exe C2 beaconing interval: 60-second polling to /index.php. Low-frequency, low-noise pattern designed to avoid anomaly-based detection thresholds.

• All C2 communication runs over port 443 mimicking HTTPS to blend with normal enterprise web traffic.

• Teams source IPs represent attacker-controlled accounts or infrastructure used to initiate external chat sessions; not necessarily static infrastructure.

• adm-pulse[.]com mimics a legitimate Quick Assist authentication interface. Credential input is interactively guided during a live screen-sharing session, reducing victim suspicion.

• moonzonet[.]com and uploadfiler[.]com represent two distinct C2 tiers: staging and RAT operations respectively, providing operational separation between dropper and post-compromise activity.