SmokeLoader Campaigns Exposed Through Remus Plugin and Shared C2 Infrastructure
Researchers traced multiple SmokeLoader operations to live command-and-control infrastructure that supported credential theft, screenshot capture, clipboard theft, host profiling, and data exfiltration. One March 2026 campaign used a ClickFix social-engineering lure, an MSI installer, and a Go-based loader to deploy the Remus plugin, with exfiltration sent to baxe[.]pics:48261; investigators extracted configuration data including the C2 URL, campaign ID, plugin markers, and a ChaCha20 key that allowed captured traffic to be decrypted. Cross-sample analysis linked the same builder output to SmokeLoader deliveries via Amadey, Phorpiex, and the ClickFix/GOLoader chain, pointing to a shared malware-as-a-service or affiliate ecosystem.
Separate analysis tied SmokeLoader to a broader dual-family operation involving Fuery, likely run by an operator using the alias "ingermany", who used a Flask-based panel disguised as "InsureFlow Pro" and a second "Monkey" panel for Fuery management. Investigators documented repeated OPSEC failures across the infrastructure, including reused certificates, exposed registration data, same-day domain registrations, and a C2 domain that shared a VPS with a legitimate Arabic-language learning platform, qimmaedu[.]com, while malware traffic beaconed to coox[.]live and baxe[.]pics. The reports also highlighted unusual technical overlaps, including Go 1.20.1 builds, Raft protocol type-name obfuscation, split C2 services on high ports, and hosting links to providers and subnets previously associated with Phorpiex, reinforcing the assessment that financially motivated operators were reusing infrastructure across malware families and legitimate services.
Timeline
Mar 12, 2026
Cross-sample analysis links Remus delivery to broader MaaS ecosystem
Researchers found the same builder output across SmokeLoader samples delivered via Amadey, Phorpiex, and the ClickFix/GOLoader chain, indicating a shared malware-as-a-service or affiliate distribution ecosystem. The activity was assessed as financially motivated cybercrime, with Vietnamese and Eastern European infrastructure indicators but no definitive attribution.
Mar 12, 2026
Researchers trace live Remus C2 and decrypt campaign configuration
Breakglass Intelligence traced the March 2026 campaign to a live command-and-control server at baxe[.]pics:48261 on an OVH Singapore VPS and extracted the Remus plugin configuration, including the C2 URL, campaign ID, plugin markers, and a ChaCha20 key. These findings enabled decryption of captured traffic and exposed multiple operator OPSEC failures, including certificate reuse and same-day domain registrations.
Mar 12, 2026
ClickFix lure campaign delivers SmokeLoader and Remus plugin
In March 2026, researchers analyzed a SmokeLoader campaign that used a ClickFix social-engineering lure, an MSI installer, and a Go-based loader to deploy the Remus plugin. The infection chain included credential theft, wallet targeting, and deployment of a plugin capable of screenshot capture, clipboard theft, and host profiling.
Mar 5, 2026
Breakglass links SmokeLoader and Fuery to single operator "ingermany"
Breakglass Intelligence published findings that linked SmokeLoader and Fuery infrastructure, domains, certificates, and hosting history to a likely single operator distinct from CERT-UA's UAC-0006. The report also highlighted OPSEC failures and overlap with infrastructure associated with Phorpiex-hosting environments.
Mar 5, 2026
Researchers expose shared VPS hosting malware C2 and Arabic LMS
Breakglass Intelligence reported that baxe[.]pics shared infrastructure with qimmaedu[.]com on the same Hetzner VPS, and that a public source map for the LMS leaked developer artifacts linked to the handle sasa4452. The report assessed that the same operator likely reused the VPS for both legitimate projects and SmokeLoader infrastructure.
Mar 5, 2026
SmokeLoader sample observed exfiltrating data to baxe[.]pics and coox[.]live
On March 5, 2026, sandbox analysis of a SmokeLoader sample showed active beaconing to coox[.]live and exfiltration to baxe[.]pics on port 48261, with more than 1 MB of stolen data sent during a single run. Researchers tied baxe[.]pics to a Hetzner VPS that also hosted the legitimate Arabic LMS site qimmaedu[.]com.
Mar 5, 2026
Operator deploys dual SmokeLoader and Fuery C2 infrastructure
A threat actor using the alias "ingermany" stood up a live botnet operation that ran SmokeLoader and Fuery through separate but linked command-and-control panels, including a Flask-based panel disguised as "InsureFlow Pro" and Fuery infrastructure branded as the "Monkey" panel. The infrastructure and malware families shared hosting, build traits, and a Raft-protocol-themed obfuscation method.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Signed Malware Installers and Live C2 Infrastructure Fuel Multiple Loader Campaigns
Breakglass Intelligence identified several active malware delivery operations using signed installers, compromised websites, and live command-and-control infrastructure to distribute loaders, stealers, and remote access tools. One campaign used the newly registered domain `maybedontbanplease[.]com` as CastleLoader C2 on 3NT Solutions LLP infrastructure, with a large NSIS installer embedding Python 3.14, AES-encrypted payloads, and in-memory shellcode execution via `pythonw.exe`; the installer was signed with an EV certificate issued to the likely fictitious entity **SERPENTINE SOLAR LIMITED**. The activity was attributed with medium-high confidence to **GrayBravo** and linked to delivery of **LummaC2, StealC, RedLine, Rhadamanthys, DeerStealer, NetSupport RAT,** and **SectopRAT**, with targeting that included U.S. government, critical infrastructure, IT, and logistics organizations. A separate operation distributed a trojanized `MSTeamsSetup.exe` that installed a weaponized **RustDesk** client and communicated with `mon.systemautoupdater[.]com` on EvoXT infrastructure, while presenting a TLS certificate for `calipology[.]com`, tying the activity to the **GeorgeGinx/Striker** operator. In another live campaign, attackers used the compromised Syrian web development site `allsydevs[.]com` to host an obfuscated .NET loader masquerading as a WordPress image and connected victims to `172[.]93[.]167[.]12:4263` over HTTPS using a self-signed certificate with the fake common name **Mesh Data**; at least six related samples were linked to the same C2, with lure names suggesting targeting of Middle Eastern construction and export firms. Together, the investigations show financially motivated actors expanding malware distribution through fraudulent code-signing, trojanized business software, and hijacked web infrastructure.
1 weeks ago
ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied **ResolverRAT**, **LummaStealer**, and an **Amadey** botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected `.NET` loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, **pat[.]microsoft-telemetry[.]at**, and newly activated infrastructure such as **kampf[.]huehnchenfarm[.]ru** tied to the same ecosystem. A parallel March 2026 investigation linked the **fbf543** Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on **Omegatech LTD (AS202412)** and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from **ConnectWise, DattoRMM, Atera, GoToResolve, and N-able**, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing **AppLaunch.exe**, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
1 weeks ago
Chinese-Language Malware Operations Exposed Through GoLoader, ValleyRAT, and FUD Crypt
Researchers uncovered multiple malware operations using scalable builder and crypting infrastructure to deliver remote-access trojans and evade detection. Breakglass Intelligence found two unauthenticated **GoLoader** builder panels that had produced **468,349** polymorphic samples across 71 active tasks, while leaking Alibaba Cloud OSS credentials tied to a public bucket containing LNK droppers, polymorphic VBS scripts, steganographic PNG carriers, .NET loaders, and RAT payloads. The reconstructed infection chain ended with **njRAT**, and reversing its custom AES-256-ECB configuration revealed the C2 `laohe1[.]myvnc[.]com:5000`, overlapping with infrastructure previously associated with **XWorm**. The campaign was assessed with moderate confidence as operated by a Chinese-speaking actor using Simplified Chinese cryptocurrency lures. A separate Breakglass report linked **ValleyRAT** samples targeting Chinese-speaking users to a campaign that blended long-lived Hong Kong infrastructure with a likely compromised UK academic relay. One sample connected to `103.215.77[.]17:4488`, a Hong Kong-hosted server linked to dozens of related malware submissions, while another Rust loader masquerading as **Microsoft OneDrive Sync Engine** decrypted and loaded a ValleyRAT core DLL after sandbox checks; its stage-two C2 used a `govroam.cf.ac[.]uk` hostname resolving into Cardiff University space, suggesting temporary relay use through a compromised GovRoam-connected endpoint. In parallel, researchers analyzing the **FUD Crypt** malware-as-a-service platform found it packaged Windows malware with persistence, C2, and evasion features, tracked **200** registered users and **334** confirmed builds, and documented abuse of Microsoft **Azure Trusted Signing** to produce Microsoft-rooted Authenticode signatures for malicious binaries.
1 weeks ago