We ran a structured Shodan sweep targeting known stealer and RAT panel fingerprints. Within hours, we had nine distinct operations mapped across five continents, several with their guts spilled to the open internet.
The Hunt
The approach was straightforward: query Shodan for HTTP titles and body content matching known stealer panel patterns, then pivot from each hit to enumerate APIs, extract JavaScript, and fingerprint the operator's infrastructure. The queries ranged from direct name matches (http.title:"Lumma", http.title:"Amadey") to behavioral patterns (http.html:"stealer" http.html:"dashboard" http.html:"bots", http.html:"/api/gate" http.html:"token"). Most of the noise was legitimate businesses whose names collided with malware families. The signal, when it appeared, was unmistakable.
PoisonX Stealer, Swiss Bulletproof Hosting
The first serious find was 179[.]43[.]176[.]30, hosted on PRIVATE LAYER INC (AS51852) in Lugano, Switzerland. PRIVATE LAYER is a well-known bulletproof hosting provider. The server announces itself plainly:
> <a href="#"><b>PoisonX</b> Stealer</a>
The login page uses the Orbitron font, a Matrix-style animated background, and green-on-black theming. It runs Apache 2.4.58 on Windows Server with PHP 8.0.30, XAMPP stack, MariaDB 10.4.32. The RDP certificate leaks the hostname: WIN-8OA3CCQAE4D.
The operator left error reporting enabled. POSTing to /api/login without a captcha field triggers:
> Warning: Undefined array key "captcha" in C:\xampp\htdocs\api\login.php on line 20
Identical errors appear at /api/register. The full server path is confirmed as C:\xampp\htdocs\api\.
Beyond the login, path enumeration reveals the full panel structure. Every endpoint returns a 302 redirect to /login when unauthenticated, confirming the routes exist:
| Endpoint | Function |
|---|---|
/dashboard | Operator dashboard |
/builds | Payload builder |
/bots | Victim management |
/logs | Stolen data viewer |
/stats | Statistics |
/tasks | Task distribution |
/gate, /api/gate | Data reception gate |
/config, /settings | Panel configuration |
/upload | Returns {"status":"error","message":"Dont try to hack me !!!!"} |
/download | Returns User not logged in |
/register | Open registration (with optional invite code) |
The registration page is fully accessible. It accepts username, password, an optional invite code, and a CAPTCHA (securimage). The operator has not restricted who can create accounts on their stealer panel.
The server exposes eight ports: HTTP (80/443), RPC (135), SMB (445), MySQL/MariaDB (3306), RDP (3389), WinRM (5985), and Microsoft HTTPAPI (47001). This is a Windows machine with every management protocol open to the internet, sitting on bulletproof hosting, running an infostealer control panel.
Whack RAT, Full Protocol from Exposed JavaScript
At 49[.]12[.]124[.]231:8080 on Hetzner (AS24940, Falkenstein, Germany), we found a page titled "RAT Operator Dashboard." The /health endpoint confirmed the situation:
> {"status":"ok","clients":2}
Two active victims connected to a live RAT.
The dashboard loads its entire application from unminified JavaScript modules. The main app.js imports from ./websocket.js, ./protocol.js, and component modules for screen viewing, webcam, keylogger, terminal, and file management. The C2 server URL is hardcoded:
> this.serverUrl = 'wss://stream.whack.cy/operator'
On disconnect, the operator is redirected to https://whack.cy/dashboard/auth/login. The domain whack.cy (Cyprus TLD) does not currently resolve in public DNS, suggesting the operator uses private DNS, recently changed registrars, or deliberately delisted the domain while keeping the infrastructure live.
The Binary Protocol
The protocol.js file defines a custom binary WebSocket protocol with a 10-byte header:
| Offset | Size | Field |
|---|---|---|
| 0 | 1 byte | Message type (0x00-0x71) |
| 1 | 1 byte | Flags (COMPRESSED, ENCRYPTED, ACK_REQUIRED, CHUNKED) |
| 2-5 | 4 bytes | Sequence number (big-endian) |
| 6-9 | 4 bytes | Payload length (big-endian) |
| 10+ | variable | Payload (JSON or raw bytes) |
Screen frames and data streams use LZ4 compression (flag 0x01). The protocol defines 29 message types across seven modules:
| Range | Module | Types |
|---|---|---|
| 0x00-0x0A | Core | HELLO, HELLO_ACK, AUTH, AUTH_RESULT, PING/PONG, DISCONNECT, ERROR, MODULE_START/STOP/STATUS |
| 0x20-0x25 | Screen | CONFIG, FRAME, DIFF, CURSOR, INPUT, MONITORS |
| 0x30-0x33 | Camera | LIST, SELECT, CONFIG, FRAME |
| 0x40-0x42 | Keylogger | CONFIG, DATA, WINDOW |
| 0x50-0x54 | Shell | START, INPUT, OUTPUT, RESIZE, EXIT |
| 0x60-0x69 | Filesystem | LIST, LIST_RESULT, DOWNLOAD, UPLOAD_START, CHUNK, COMPLETE, DELETE, MOVE, MKDIR, ERROR |
| 0x70-0x71 | Rerun | REQUEST, RESULT |
The screen module supports live streaming with differential frame updates (SCREEN_DIFF), cursor tracking, and multi-monitor selection. The keylogger tracks active window titles alongside keystroke data. The shell provides a full interactive terminal with resize support. The filesystem module handles browsing, upload, download, deletion, moves, and directory creation, defaulting to C:\ on connection, confirming the implant targets Windows.
Authentication uses browser cookies (the sessionId cookie is automatically sent with the WebSocket upgrade). The client list component reveals what victim metadata the operator sees: client ID, hostname, OS, username, a user_uuid, and whether the session is elevated (admin privileges), displayed with a red "ELEVATED" badge.
The "rerun" feature allows the operator to re-execute the implant on a victim machine, suggesting persistence recovery capabilities.
CNG/Cingenler RAT, Turkey
At 31[.]57[.]77[.]35:3333, hosted by Keyubu (AS210538) in Basaksehir, Istanbul, we found the "CNG RAT Control Panel," version 2.0, self-identified as "Cingenler Rat." The dashboard is completely open, no authentication required.
The panel runs on FastAPI (uvicorn) and exposes the standard FastAPI documentation endpoints at /docs (Swagger UI) and /openapi.json. The API schema, while minimal in the spec, reveals a Python backend.
The visible interface includes:
- Dashboard: Total Bots, Online Now, Active Streams
- Botnet Console: Command distribution
- Keylogger: Keystroke capture
- Password Vault: Credential storage
- Screen View: Live streaming at resolutions up to 1080p, frame rates up to 144 FPS
- Audio Surveillance: Microphone input and speaker output capture
- Webcam: Camera streaming
The server also exposes MySQL/MariaDB (3306), RDP (3389), FTP (21), and two web servers (80/443 running Apache, 5000 running Flask). The hostname resolves to server.keyubu.com.
The Stealer Twins, GLOBAL CONNECTIVITY SOLUTIONS
Two servers with identical configurations sit on GLOBAL CONNECTIVITY SOLUTIONS LLP (AS215540): 89[.]185[.]82[.]181 in Skopje, North Macedonia, and 89[.]185[.]81[.]203 in Oslo, Norway. Both serve the same 7,529-byte dashboard page titled "Stealer Server - Dashboard" with the misspelling "Stealler" in the header.
The JavaScript in the dashboard calls two API endpoints: /status (returns {sessions_processed, total_storage_mb, status}) and /list (returns session data with download_url fields). Both require authentication, returning {"error":"Authentication required"}. The login page requires only a password, no username.
The Skopje server also holds an SSL certificate for online-tenderconfirmation.com, a domain consistent with business email compromise or procurement fraud phishing. The same operator is running a stealer infrastructure alongside a phishing campaign.
Steam Stealer, Brazilian Portuguese on Google Cloud
At 34[.]134[.]154[.]94 on Google Cloud (AS396982), a Node.js Express server hosts a "C2 Dashboard - Steam Stealer." The login form requires username and password, and the API endpoints /api/sessions, /api/captures, and /api/stats all return authentication errors in Brazilian Portuguese:
> {"error":"Token nao fornecido"} (Token not provided)
> {"error":"Username e password sao obrigatorios"} (Username and password are required)
The panel tracks "Total Sessions," "Active Today," "Total Captures," and "Captures Today," indicating a focus on volume: stealing Steam account credentials at scale.
Enhanced Stealer Server, Moldovan Bulletproof Hosting
At 146[.]19[.]213[.]175:5000, on ALEXHOST SRL in Moldova (another known bulletproof hosting provider), a Flask/Werkzeug server identifies itself as "Enhanced Stealer Server." The status page reports online, with endpoints for /login, /upload, /dashboard, and /logs. The upload API at /api/upload accepts file POSTs. Login requires username and password, returning "Invalid credentials" on failure.
RAT Control Panel, Bot Manager
At 170[.]205[.]31[.]153:8080 on Advin Services LLC (AS206216, Los Angeles), an Express.js application serves a "RAT Control Panel - Bot Manager." Unlike most panels we found, this one has completely open API endpoints:
> GET /api/bots returns {"success":true,"bots":[]}
> GET /api/stats returns {"success":true,"stats":{"totalBots":0,"activeBots":0,"blockedBots":0,"pendingCommands":0}}
The dashboard includes bot management (total, active, blocked), a command prompt for sending instructions to bots, a build system, and domain management. At the time of observation, the botnet was empty, either freshly deployed or recently cleaned out. Shodan shows a second identical panel on the same ISP at 160[.]187[.]210[.]154:8080.
Korean Payment Stealer
At 116[.]124[.]133[.]191:8112 on SK Broadband (AS9318) in South Korea, a Java Spring Boot application presents a professional login page titled simply "STEALER." It requires three credentials: ID, Password, and OTP (one-time password). The login function POSTs to /reqLogin and on success redirects to /payList, a payment list view.
The Korean text in the footer reads: "평일 09:00 ~ 18:00 / 주말 및 공휴일 휴무" (Weekdays 9:00-18:00 / Weekends and holidays closed). A password reset notice instructs users to "contact customer service." Cookie names include userIdMer and languageTypeMer, where "Mer" almost certainly stands for "Merchant."
This is not a hobby project. It is a professionalized payment card skimming operation with business hours, customer support, OTP security for operators, and a merchant-facing portal for browsing stolen payment data. The bilingual Korean/English interface suggests an operation selling access to an international clientele.
Redline Script, Multi-Service Hetzner Box
At 5[.]9[.]148[.]210 on Hetzner (AS24940, Falkenstein, Germany), a server runs 11 open ports. Port 8000 hosts "Redline Script" with a "Panel Control" subtitle, offering "List all channels," "Force token update," and a support link. The channel list includes: Arabic, English, Kurdish, Turkish, Persian, French, German, Dutch, Belgian, Spanish, Italian, and Brazilian.
Port 9090 and 42113 run "Streamer 21.10," a media streaming service. Port 48888 runs Squid 5.7 proxy. Ports 82-84 and 92 all serve nginx. This box is a multi-purpose infrastructure node, combining what appears to be an IPTV piracy operation with a stealer panel and an open proxy.
Going Inside
Surface enumeration tells you what is exposed. Getting inside tells you what it does. We pushed past the login screens where we could.
CNG RAT: Full Admin, No Password
The CNG RAT panel uses Socket.IO (loaded from Cloudflare CDN) with its real logic in /static/script.js, a 31,638-byte unminified JavaScript file. On connection, the client emits a single event, login_admin, with no credentials. The server responds with a bot_list event containing every connected victim.
We connected, emitted login_admin, and received full admin access. At the time of our session the botnet had zero active bots, but the panel was fully operational and waiting. The exposed source code reveals the complete command set:
- shell with {cmd: "..."} for arbitrary command execution
- start_screen / stop_screen for live screen streaming
- start_webcam / stop_webcam for camera access
- start_audio / stop_audio for microphone capture
- start_desktop_audio for system audio capture
- list_files / download_file for filesystem access
- show_msg to display alert boxes on victim machines
- open_url to force-open URLs in the victim's browser
- jumpscare (self-explanatory)
- steal_credentials for mass credential extraction
- start_ddos / stop_ddos with target, port, method, and thread count
- broadcast_to_all to send any command to every connected bot simultaneously
The DDoS function accepts a target host, port, method, and thread count. The YouTube botnet function (launchBotnetYT) opens a URL with loop: true on all bots, likely for view inflation. Turkish-language strings throughout the code ("Yeni bot baglandi" for new bot connected, "Oyun Modu: AKTIF" for game mode active) confirm the operator's nationality.
Whack RAT: Client Authentication Bypass
The Whack RAT's operator endpoint at /operator requires a valid session cookie. But the client endpoint at /client, where implants connect, has no authentication at all.
We connected via WebSocket, sent a HELLO message (type 0x00), and received:
> {"server":"rat-server/1.0","session_id":"6d5a9db2dad10d4c354421f8a08259a6"}
We then sent an AUTH message (type 0x02) with fabricated victim metadata (hostname, OS, username, elevated status) and received:
> AUTH_RESULT: {"success":true}
The server accepted us without question. The /health endpoint, which previously reported 2 clients, immediately jumped to 3. We were now registered as a victim in the operator's dashboard, visible alongside the two real compromised machines.
This confirms the implant uses no client-side certificates, no pre-shared tokens, and no verification of any kind. Anyone who can reach port 8080 can register as a victim. The server version string rat-server/1.0 and the session generation pattern (32-character hex) are now documented fingerprints.
RAT Bot Manager: Open API
The Express.js RAT at 170[.]205[.]31[.]153:8080 serves its bot management API without any authentication. GET /api/bots returns the full bot list. GET /api/stats returns live statistics. POST /api/build accepts requests but requires parameters, returning {"success":false,"error":"Missing parameters"}, confirming the build system is functional and reachable. The botnet was empty at observation time, either freshly deployed or recently purged.
What This Tells Us
Nine operations, nine different levels of operational security:
- PoisonX runs on bulletproof hosting but leaks PHP errors and leaves registration open
- Whack RAT uses a custom binary protocol with encryption flags but serves the complete protocol definition from an unauthenticated web server
- CNG/Cingenler RAT has no authentication at all, with Swagger docs exposed
- The Stealer Twins require only a password, no username
- The Steam Stealer exposes error messages in Portuguese, fingerprinting the operator's nationality
- The Korean payment stealer has OTP and business hours, the most professional operation in the set, but still sits on a residential ISP with its login page indexed by Shodan
The hosting choices tell their own story. Two operations use known bulletproof providers (PRIVATE LAYER, ALEXHOST). Two use Hetzner, the go-to for cheap European VPS. One abuses Google Cloud. One sits on a Turkish personal hosting account. Two run on GLOBAL CONNECTIVITY SOLUTIONS, an ISP whose /24 blocks are heavily populated with malware infrastructure.
None of these operators expected anyone to look.
IOC Summary
Network Infrastructure
| Indicator | Type | Context |
|---|---|---|
179.43.176.30 | IPv4 | PoisonX Stealer panel, PRIVATE LAYER bulletproof hosting |
49.12.124.231 | IPv4 | Whack RAT operator dashboard, Hetzner |
whack.cy | Domain | Whack RAT C2 domain (Cyprus TLD) |
stream.whack.cy | Domain | Whack RAT WebSocket C2 server |
31.57.77.35 | IPv4 | CNG/Cingenler RAT panel, Turkey |
server.keyubu.com | Domain | CNG RAT server hostname |
89.185.82.181 | IPv4 | Stealer Server dashboard, Skopje |
89.185.81.203 | IPv4 | Stealer Server dashboard, Oslo |
online-tenderconfirmation.com | Domain | Phishing domain on stealer infrastructure |
34.134.154.94 | IPv4 | Steam Stealer C2, Google Cloud |
146.19.213.175 | IPv4 | Enhanced Stealer Server, ALEXHOST Moldova |
170.205.31.153 | IPv4 | RAT Control Panel, Advin Services |
116.124.133.191 | IPv4 | Korean payment stealer, SK Broadband |
5.9.148.210 | IPv4 | Redline Script panel, Hetzner |
Hosting and ASNs
| ASN | Organization | Role |
|---|---|---|
| AS51852 | PRIVATE LAYER INC | Bulletproof hosting, PoisonX |
| AS24940 | Hetzner Online GmbH | Whack RAT dashboard, Redline Script |
| AS210538 | Keyubu | CNG RAT, Turkey |
| AS215540 | GLOBAL CONNECTIVITY SOLUTIONS | Stealer twins, phishing |
| AS396982 | Google LLC | Steam Stealer C2 |
| AS206216 | Advin Services LLC | RAT Bot Manager |
| AS9318 | SK Broadband | Korean payment stealer |
Technical Fingerprints
| Indicator | Context |
|---|---|
WIN-8OA3CCQAE4D | PoisonX server hostname (RDP cert) |
C:\\xampp\\htdocs\\api\\ | PoisonX PHP path |
wss://stream.whack.cy/operator | Whack RAT C2 WebSocket URL |
https://whack.cy/dashboard/auth/login | Whack RAT operator login |
Whack protocol header: [type:1][flags:1][seq:4][len:4] | Binary protocol fingerprint |
/reqLogin POST to /payList redirect | Korean stealer login flow |
Stealler (misspelled) | GLOBAL CONNECTIVITY stealer server marker |
Cingenler Rat Control Panel - v2.0 | CNG RAT version string |