WaterHydra-Linked DarkMe and QuasarRAT Infrastructure Exposed Across Bulletproof Hosts
Researchers linked the GitHub operator evilgrou-tech to the WaterHydra/DarkCasino lineage and uncovered an active malware operation using DarkMe RAT, QuasarRAT v1.4.1, and a modified "Sentinel" QuasarRAT variant against forex traders and cryptocurrency users. The attribution rests on a reused developer artifact — C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb — along with dozens of overlapping indicators spanning code, infrastructure, targeting, and tradecraft. The campaign used GitHub-hosted encrypted payloads, multi-stage loaders, AMSI bypasses, fileless .NET execution, registry and startup persistence, and live command-and-control nodes including 91.124.98.29:2626 and 192.109.200[.]147. Investigators recovered five AES payload key schemes, an XOR loader key, and QuasarRAT PBKDF2-derived cryptographic material, enabling offline decryption of staged payloads and configuration data.
The infrastructure mapped the operation across hosting providers and networks in Ukraine, Russia, and the United States, with ties to ThinkHuge, PrefixBroker, PFCLOUD, and upstream infrastructure associated with CountLoader and an Amadey staging server linked to more than 23 malware families. The Sentinel variant added Hidden VNC, keylogging, and browser credential theft under a crypto-focused "Pumpfun" campaign, while the parallel "Office04" activity remained focused on financial trading targets. Separate analysis of the live QuasarRAT server showed its encryption key matched the SHA1 hash of the server TLS certificate, but a protocol-accurate fake client was still rejected, indicating application-layer IP allowlisting on the C2. Breakglass also identified a second, distinct malware distribution operation tied to a Brazilian Portuguese-speaking actor that used fake gaming cheat sites, GitHub, Discord, and MediaFire to spread AgentTesla, underscoring broader criminal use of the same malware delivery ecosystem.
Timeline
Mar 9, 2026
Operator assessed as likely Russian-origin based on development artifacts
Breakglass assessed the operator behind the evilgrou-tech activity as likely Russian-origin. The assessment cited the hostname 'russia978,' Russian-language code comments, and UTC+3 development patterns across 132 git commits.
Mar 9, 2026
Researchers observed live GitHub payload rotation and recovered fresh samples
The March 9 follow-up documented ongoing payload rotation in GitHub-hosted repositories used by the actor. Investigators recovered fresh DarkMe and QuasarRAT payloads and further cataloged the encryption and persistence methods used across the toolset.
Mar 9, 2026
PFCLOUD hosting linked WaterHydra activity to broader malware ecosystem
On March 9, 2026, Breakglass reported that Sentinel's C2 at 192.109.200.147 was hosted in the same PFCLOUD /24 as CountLoader infrastructure. The same upstream connectivity was also tied to an Amadey staging server distributing more than 23 malware families, indicating broader ecosystem overlap.
Mar 9, 2026
Sentinel QuasarRAT variant linked to crypto-targeting campaign
A follow-up investigation identified a second QuasarRAT variant called 'Sentinel' used under the campaign tag 'Pumpfun' to target cryptocurrency users, while the actor simultaneously ran the forex-focused 'Office04' campaign. Sentinel added Hidden VNC, keylogging, and browser credential theft.
Mar 7, 2026
Second operation linked to Brazilian Portuguese-speaking malware actor
The same March 2026 reporting identified a separate campaign run by Wsoftwares / z_white_x using fake gaming cheat sites, GitHub, Discord, and MediaFire to distribute AgentTesla. Git commit metadata and reused email addresses linked this activity to a Brazilian Portuguese-speaking actor.
Mar 7, 2026
QuasarRAT fake client tested against live C2 reveals IP-based access control
Researchers reverse engineered QuasarRAT v1.4.1 samples from the 'Office04' campaign, derived session keys from the live server's TLS certificate, and built a protocol-accurate fake client. Testing against 91.124.98.29:2626 showed that data-sending sessions were immediately dropped while idle TLS sessions stayed open, indicating application-layer IP whitelisting.
Mar 7, 2026
evilgrou-tech activity attributed to WaterHydra/DarkCasino lineage
Breakglass attributed the GitHub operator 'evilgrou-tech' to the WaterHydra/DarkCasino lineage with moderate-to-high, and in a separate report high, confidence. The attribution was based on the reused 'vaeeva' fingerprint, shared DarkMe tooling, forex-focused targeting, and dozens of overlapping code and infrastructure indicators.
Mar 7, 2026
Researchers recovered AES keys and decrypted staged payloads
Breakglass recovered five AES payload key schemes, an XOR loader key, and QuasarRAT PBKDF2-derived cryptographic material from the operation. This enabled offline decryption of staged payloads and configuration data used by the actor.
Mar 7, 2026
Live C2 infrastructure mapped across Ukraine, Russia, and the US
During the March 2026 investigation, researchers identified active command-and-control infrastructure including a live QuasarRAT and DarkMe server at 91.124.98.29:2626, management systems in a ThinkHuge /21 block, and a separate Russian IP associated with VenomRAT, Vidar, StormKitty, LummaStealer, and RedLine. The infrastructure spanned multiple countries and suggested overlap with broader criminal hosting ecosystems.
Mar 7, 2026
Researchers discovered active multi-RAT operations tied to evilgrou-tech
On March 7-8, 2026, Breakglass identified two active malware operations through MalwareBazaar hunting. One centered on the handle 'evilgrou-tech' and used QuasarRAT, DarkMe RAT, Quakbot, and a QuasarRAT 'Sentinel' variant delivered through GitHub-hosted encrypted payloads.
Jan 1, 2024
WaterHydra-linked payload reused the 'vaeeva' developer fingerprint
In 2024, a WaterHydra payload was observed carrying the same 'vaeeva' build-path artifact previously seen in a 2022 Evilnum-linked DLL. This reuse later supported attribution tying Evilnum, DarkCasino, WaterHydra, and the 2026 activity together.
Jan 1, 2023
WaterHydra operator ran evolving C2 infrastructure over a three-year period
Historical infrastructure analysis showed the actor's command-and-control setup evolving from Comcast-hosted gibberish domains to No-IP dynamic DNS and then to bulletproof hosting providers including ThinkHuge, PrefixBroker, and PFCLOUD. This progression established continuity between older and current operations.
May 1, 2022
DarkMe builder with 'vaeeva' path compiled and later reused
Breakglass traced the actor's tooling to an older DarkMe RAT VB6 builder compiled in May 2022. A distinctive developer path, `C:\Users\Administrator\Desktop\vaeeva\shellrundll.tlb`, became a key fingerprint later used to connect subsequent activity to the same lineage.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied **ResolverRAT**, **LummaStealer**, and an **Amadey** botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected `.NET` loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, **pat[.]microsoft-telemetry[.]at**, and newly activated infrastructure such as **kampf[.]huehnchenfarm[.]ru** tied to the same ecosystem. A parallel March 2026 investigation linked the **fbf543** Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on **Omegatech LTD (AS202412)** and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from **ConnectWise, DattoRMM, Atera, GoToResolve, and N-able**, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing **AppLaunch.exe**, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
1 weeks ago
Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using **compromised or spoofed websites** to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated **GrayCharlie** (overlapping with **SmartApeSG**) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to **bogus update pages** or **fake CAPTCHA** flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to **NetSupport RAT** installation and follow-on delivery of **Stealc** and **SectopRAT**; the operation’s infrastructure was noted as being supported by **MivoCloud** and **HZ Hosting Ltd.** Separately, Malwarebytes-linked reporting described a **typosquatting** campaign impersonating the Huorong antivirus site (`huoronga[.]com` vs. `huorong.cn`) to distribute **ValleyRAT** (built on the **Winos4.0** framework), attributed to the Chinese-speaking **Silver Fox APT**; the payload was routed through an intermediary domain and hosted on **Cloudflare R2**, with a ZIP masquerading as Huorong (`BR火绒445[.]zip`). In a different region and access vector, Group-IB reported Iran-linked **MuddyWater** running **Operation Olalampo** against MENA targets using **phishing emails** with malicious Office documents/macros to deploy new tooling including **GhostFetch** (dropping **GhostBackDoor**) and **CHAR** (a Rust backdoor controlled via a **Telegram bot**), plus variants using **HTTP_VIP** to deploy *AnyDesk*; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
1 months ago
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago