← Dispatches

TLP:CLEAR · 2026-02-27

The Server That Attacked Itself: Tracing a Live Ransomware Operation Through Luxury Hotel and Airline Infrastructure

Starting from a single exposed open directory on a UK server, we mapped a network of six compromised Kaleidovision KL4 music scheduling systems, background music infrastructure for Schroders, Cathay Pacific, and The Beaumont Hotel, all implanted with the same custom Go reverse SOCKS5 proxy. The servers double as staging platforms, malware depots, and proxy nodes. One exposed MySQL general query log captured a complete database ransom operation. Another MySQL instance remains wide open with root access, PE executables stored in tables, and artifacts from multiple unrelated threat actors. The implant was updated across all nodes within hours of publication.

What began as an open directory on a UK server turned into a six-node proxy network spanning two continents, three luxury brands, and at least three distinct threat actors operating on the same compromised infrastructure simultaneously.

The Initial Find

While scanning for exposed infrastructure, we found a Windows server at 94[.]31[.]47[.]252 on ZAYO GROUP UK (AS6461) with nine ports open to the internet: HTTP (80), RDP (3389), VNC (5800/5900), MySQL (3306), SMB (139/445), RPC (135), and an application on port 1000. The HTTP server hosted an open directory. On port 1000, a service identified itself as KL4 Music Scheduler, commercial broadcast automation software by Kaleidovision.

The KL4 API endpoint at /currentplaying.xml returned:

> <artist>Andres Cardenes, Luz Manriquez</artist>

> <track>Pale Moon (Transcribed By Fritz Kreisler)</track>

> <profile>Schroders Long Room - Evening</profile>

This is a background music system for Schroders, one of the UK's largest asset managers. The /profiles.xml endpoint confirmed five playlist profiles: Schroders Long Room - Day (06:00-16:30), Evening (16:30-00:00), Jazz Evening (On Demand), and Party Evening (On Demand), with country code GBR and active since October 2020.

The Open Directory and the Implant

The web server at port 80 exposes an Apache directory listing:

FileLast ModifiedSizeNotes
rs03.exeFeb 26, 2026 21:254.5MBGo reverse SOCKS5 proxy
rss.exeJan 18, 2026 06:374.5MBIdentical binary (same SHA-256)
rdp.batNov 27, 2025 02:45-RDP enablement toolkit
show3389.batNov 27, 2025 02:44-RDP diagnostics (Chinese translation artifacts)
a.phpDec 17, 2024 02:11-MySQL general query log
emptyJul 16, 2014 10:560Kaleidovision system file
music/Aug 11, 2021 14:34-Kaleidovision web interface

Binary analysis of rs03.exe reveals a custom Go reverse SOCKS5 proxy built from two key dependencies: github.com/armon/go-socks5 for SOCKS5 proxying with username/password authentication, and github.com/inconshreveable/muxado for TCP multiplexing, the same library used by ngrok. Communications are encrypted with ChaCha20-Poly1305. The binary was compiled with -ldflags="-s -w" (stripped), and the source path leaked from the build metadata is /x/rs/main.go on a machine with username me. No C2 address is hardcoded, the destination is passed as a runtime argument.

This is not a scanning tool or an RDP exploit. It is a tunneling implant that turns compromised machines into encrypted SOCKS proxy nodes, routing attacker traffic through legitimate corporate infrastructure.

rdp.bat enables Windows Remote Desktop via registry modification, installs RDPWrap for concurrent sessions, checks TermService status, and enumerates network connections. show3389.bat is a more polished RDP diagnostic tool with Chinese-English translation artifacts, "Successful detection of eavesdropping" where "listening" was intended, and mixed language formatting that indicates a Chinese-speaking author.

Mapping the Network

Searching Shodan for the same binary and KL4 Music Scheduler fingerprint, we found the implant deployed across six servers and one additional compromised gaming server:

ServerLocationVenuers03.exe UpdatedPorts
94.31.47.252UK, ZAYOSchroders Long RoomFeb 26, 21:25 UTC80, 135, 139, 445, 1000, 3306, 3389, 5800, 5900
94.31.47.253UK, ZAYOSchroders GymFeb 26, 21:26 UTC80, 135, 139, 445, 3306, 3389, 5357, 5800, 5900
5.148.149.198UK, Exponential-EThe Beaumont Hotel GymFeb 26, 21:25 UTC80, 135, 445, 1002, 3002, 3306, 3389, 5800, 5900
118.140.110.132HK, HGCCathay Pacific Haven RestPresent80, 1000, 3002, 3306, 5800, 5900
118.140.110.134HK, HGCCathay Pacific Teahouse / HK PierFeb 27, 05:25 UTC80, 135, 1002, 3002, 3306, 5800, 5900
88.99.51.113DE, HetznerArkSurvival.cz (gaming)Present21, 80, 135, 443, 445, 3001, 3306, 3389, 5357, 5985, 27015

Every binary is identical: SHA-256 cb5e1686e66c42b1929f8da26d6260f8202cb9d68a95b322a0d5e3e9df159571, 4,691,456 bytes, PE32+ x86-64. The UK servers (.252, .253, .198) were all updated within one minute of each other on February 26. The Hong Kong Cathay Pacific Teahouse server (.134) was updated at 05:25 UTC on February 27, while we were conducting this investigation.

The Venues

Schroders (94.31.47.252 and 94.31.47.253)

Two adjacent IPs on the same ZAYO GROUP UK allocation serve music for different spaces at what appears to be a Schroders office. The .252 system runs the Long Room, a hospitality or client-facing lounge, with Day, Evening, Jazz Evening, and Party Evening profiles. The .253 system runs the Gym with six time-segmented profiles (Early Morning through Evening) and on-demand options like "Pumping" and "00's Mix." Both share the same empty file timestamped July 16, 2014 and the same music/ directory from August 11, 2021.

Cathay Pacific (118.140.110.132 and 118.140.110.134)

Two servers on HGC Global Communications in Hong Kong, two IPs apart. The .132 system serves The Haven, Cathay Pacific's premium lounge brand at Hong Kong International Airport, with five time-segmented profiles covering 24 hours (Morning 1/2, Morning 2/2, Afternoon, Evening, Night) plus a Brand Melody on-demand option. The .134 system serves the Teahouse at the Pier Business Class lounge with its own profile set. Both have been active since May 2015.

The Beaumont Hotel (5.148.149.198)

A server on Exponential-E in London running music for The Beaumont, a luxury Art Deco hotel in Mayfair. The KL4 system serves the hotel gym. At the time of investigation, it was playing Bach's Suite No. 3 in D Major.

ArkSurvival.cz (88.99.51.113)

A Hetzner-hosted Windows server running an ARK: Survival Evolved game server for a Czech and Slovak gaming community. Unlike the Kaleidovision systems, this server has no KL4 scheduler but shares the same implant. It also runs Apache with PHP, FTP (FileZilla), WinRM, and MariaDB 10.4.32, and hosts game mod files for "Lethal Quests."

The MySQL Ransom Log

The file a.php on .252 is a MySQL 5.5.24 general query log from a WAMP instance. It records a complete database ransom operation carried out on December 16-17, 2024, by three attacker IPs in sequential waves.

Reconnaissance (Dec 16, 18:08 UTC): 106[.]75[.]186[.]101 connected as root and ran SHOW DATABASES. This IP resolves to mail[.]ymmmeui[.]cn on UCLOUD in Shenzhen, China. No further action, just cataloging targets.

Wave 1 (Dec 16, 22:01 UTC): 45[.]149[.]241[.]135 (Central Technology Ltd, UK) executed an automated sequence across 14 connections: SET AUTOCOMMIT=0SHOW DATABASESUSE <db>SHOW TABLESDROP TABLECREATE TABLE IF NOT EXISTS RECOVER_YOUR_DATA → insert ransom note → COMMITDROP DATABASESHUTDOWN. DBCODE: 2X4Q2.

Wave 2 (Dec 17, 02:10 UTC): 194[.]48[.]251[.]149 (IP-Projects/AMEE TECH, Netherlands) ran the identical automation with DBCODE 2RIRI.

Wave 3 (Dec 17, 02:11 UTC): 194[.]48[.]251[.]49, same /24 subnet as Wave 2, ran the same with DBCODE 2A0KU and issued the final SHUTDOWN.

The ransom note instructs victims to pay 0.0075 BTC to bc1qunqtf8zqxwkwyp4xrx5jpvuxmmeyxc2jd97zlx and contact dzen+<DBCODE>@onionmail.org. The shortened URL https://is[.]gd/yotuqu redirects to 2info[.]win/mysql on EGIHosting Romania, serving an encrypted paste with payment instructions.

The same ransomers hit the Cathay Pacific Haven Rest server (.132): the recover_your_data database exists there as well. A second exposed MySQL log on the Teahouse server (.134), also accessible as a.php, shows the general log was queried with SHOW GLOBAL VARIABLES WHERE Variable_name="general_log_file" before being copied to the web root, suggesting the attacker deliberately exposed the log.

Following the Money

The ransom wallet bc1qunqtf8zqxwkwyp4xrx5jpvuxmmeyxc2jd97zlx received 0.00195 BTC on December 20, 2024. It was moved within two hours to bc1qwfl5x7qwgttnqkrhxjauma4gpwjjt57clu7me4, which then consolidated with 14 other feeder wallets into a single transaction of 0.35176066 BTC directed to bc1q2rr03kc7p04hk0rxdkwmpsm3pdezcd0l960qy2. Each feeder wallet represents a separate victim payment, 15 unique ransom collection addresses in total. The aggregation wallet was emptied within 24 hours to bc1qa6eur8flph9dr44j4tggxn0mcjtm8dzcdaqzvh.

The Operator's Consolidation Wallet

From the final destination, funds moved to 3Pc8g6LJcfT3nEZNj4PPP6GHZYEBT3xUNA, which WalletExplorer clusters into an 8-address wallet (0d3aa23db4063bb0). All 8 inputs belong to the same operator:

AddressAmount (BTC)
38Yf3LQCkJw6CAjkSercyUW4M8X2tFbKR92.61207
3FEWSPVNiDYchsVcsCRRMKaKNc1eRWaC4K0.71178
3Pc8g6LJcfT3nEZNj4PPP6GHZYEBT3xUNA0.35164
39CtdeCsnv4A93M7b4sqFH74ED3ffxaGvB0.34290
34qzx34xpniBbeDcg1kKMsP7JHbDns4cEn0.16695
3HSnnuZY6E4QPRdtqUZYfFbsnr8ETBDZ7V0.03390
365fQSo4LvaWH4Fo9cS9JLybxmqY6VRcM50.01078
32HAC6LHNySdy7gxPuWLLYyLUqPNTUsX5U0.00696

Total: 4.24 BTC (~$424,000). Our 0.35 BTC ransom batch is just one of at least eight separate collection rounds funneled through the same operator wallet. The largest single input (2.61 BTC) suggests a significantly larger parallel campaign.

Deep Peeling Chain

From the consolidation wallet, funds are split into three outputs and routed through a deliberately deep peeling chain, a sequence of single-address relay wallets, each forwarding to the next, designed to frustrate blockchain tracing. We traced six hops of 1-input/1-output transactions before the chain splits further. Some funds remain parked in intermediate wallets that have not yet been moved, suggesting the operator stages funds for eventual exchange deposit rather than cashing out immediately.

Cash-Out: Kraken

WalletExplorer confirms the exchange. One of the 15 ransom collection addresses, bc1qq904ynep5mvwpjxdlyecgeupg22dm8am6cfvgq, belongs to a wallet cluster (cc742284eb1d112e) that made three direct deposits to WalletExplorer's labeled Kraken.com wallet (00001012b1848923, a cluster of 2.1 million deposit addresses) on September 29, 2025:

Amount (BTC)Destination
0.00338572Kraken.com
0.00878408Kraken.com
0.00069828Kraken.com

The confirmed deposits are small, likely test transactions or operational spending, but they establish Kraken as the cash-out exchange for this operation. The bulk of the 4.24 BTC flows through the layered peeling chain, with the final exchange deposits still pending at several intermediate addresses. The operator is cautious: funds are moved in stages, not dumped directly into an exchange.

The Wide-Open MySQL: A Crime Scene with Multiple Actors

The Cathay Pacific Haven Rest server (.132) still accepts MySQL connections as root with no password. The database contains artifacts from at least three distinct threat actors.

14 accounts, zero passwords. Beyond the root account, every additional MySQL user, user, admin, dbadmin, app, username, dex, test, exchange, wordpress, game, dev, appuser, Admin, accepts login from any host with no password.

Modified grants as a calling card. The ransomers stripped root@% of SELECT, INSERT, UPDATE, and DELETE privileges while retaining CREATE, DROP, RELOAD, and SHUTDOWN. This means the recover_your_data table exists but cannot be read remotely, a deliberate post-exploitation modification that blocks cleanup attempts while preserving the ransom note for local viewing.

PE executables in MySQL tables. The mysql database contains 15 tables that should not exist, dgnbjl, fjqzcx, icsglu, owrkgu, phvmwk, sillyr5_x, sillyr_x, tcoamh, tempmix, tempmix1, tempmix4, ucltdb, wnwted, yfgcir, zdhspw. The dgnbjl table contains a Windows PE executable, the raw binary begins with the DOS stub "This program cannot be run in DOS mode." The sillyr_x and sillyr5_x tables contain Delphi-compiled binaries with exception handler strings (EFile, EDivByZero, ERange, EOverflow, EOutOfMemory). Multiple actors have been using this MySQL instance as a malware staging depot, uploading executables directly into database tables for later retrieval.

Uptime and connection patterns. At the time of investigation: 9.4 hours uptime (recently restarted), 482 total connections of which 432 were aborted, 90% of all inbound MySQL connections are automated scanners or failed exploitation attempts. Binary log file #862 indicates months of sustained operation.

A Third MySQL Log: The Operator Returns

The Cathay Pacific Teahouse server (.134) contains a file named ovh.php, not PHP code, but a MySQL general log from May 31, 2025. It captures a phpMyAdmin session from localhost running standard administration queries: SHOW MASTER STATUS, SHOW SLAVE STATUS, SHOW GLOBAL STATUS, SHOW PROCESSLIST, and SELECT UNIX_TIMESTAMP() - 9443 (a phpMyAdmin uptime calculation). This is the legitimate operator, or someone with local access, performing routine database maintenance five months after the ransom attack.

The same server also contains 330ddac7b989d5a0e69cf3a7a4192b72.php, an MD5 hash as a filename, a classic webshell indicator. It executes PHP (running PHP/5.3.13 on Apache/2.2.22, the stock WAMP stack) and returns a minimal output of PHP7E<pre></pre>, consistent with a test beacon or minimal webshell.

Timeline

DateEvent
Jul 2014empty file created across all Kaleidovision systems (system provisioning)
May 2015Cathay Pacific KL4 profiles activated
Oct 2020Schroders Long Room profiles activated
Aug 2021Kaleidovision /music/ web interface deployed
Mar 2024Webshell 330ddac7...php placed on Cathay Pacific Teahouse server
Jun 2024Schroders Long Room Jazz and Party evening profiles added
Dec 16, 2024 18:08Reconnaissance scanner 106.75.186.101 probes .252 MySQL
Dec 16, 2024 22:01Ransom Wave 1 (45.149.241.135) hits .252
Dec 17, 2024 02:10Ransom Wave 2 (194.48.251.149) hits .252
Dec 17, 2024 02:11Ransom Wave 3 (194.48.251.49) hits .252, issues SHUTDOWN
Dec 17, 2024 20:03MySQL log exposed as a.php on .134 (log file query captured)
Dec 20, 2024Ransom payment of 0.00195 BTC received, consolidated with 14 other victim payments
May 31, 2025Operator phpMyAdmin session captured in ovh.php on .134
Nov 2025RDP toolkit (rdp.bat, show3389.bat) staged on .252
Jan 9, 2026Schroders Gym profiles created (.253 system)
Jan 18, 2026rss.exe (proxy implant v1) deployed across network
Feb 1, 2026Schroders Gym profiles updated
Feb 26, 2026 21:25rs03.exe updated on .252, .253, .198 within one minute
Feb 27, 2026 05:25rs03.exe updated on .134 (during our investigation)

IOC Summary

Proxy Network Nodes

IndicatorTypeVenue
94.31.47.252Compromised IPSchroders Long Room, UK (ZAYO, AS6461)
94.31.47.253Compromised IPSchroders Gym, UK (ZAYO, AS6461)
5.148.149.198Compromised IPThe Beaumont Hotel Gym, UK (Exponential-E, AS5607)
118.140.110.132Compromised IPCathay Pacific Haven Rest, HK (HGC, AS9304)
118.140.110.134Compromised IPCathay Pacific Teahouse / HK Pier, HK (HGC, AS9304)
88.99.51.113Compromised IPArkSurvival.cz gaming, DE (Hetzner, AS24940)

Implant

IndicatorTypeNotes
cb5e1686e66c42b1929f8da26d6260f8202cb9d68a95b322a0d5e3e9df159571SHA-256rs03.exe / rss.exe, Go reverse SOCKS5 proxy (muxado + ChaCha20-Poly1305)
78c76393b576c2e9e630e792a4af06f797565380a530f6d711f1f2c2ee1c5a7dSHA-256rdp.bat, RDP enablement and RDPWrap installer
832bc26f058b2cefe84b4c8e65df82d57c3481a2f77778974c1584c906632b8fSHA-256show3389.bat, RDP diagnostics with Chinese translation artifacts
330ddac7b989d5a0e69cf3a7a4192b72.phpWebshellMD5-named PHP beacon on .134

Database Ransom Operation

IndicatorTypeNotes
106.75.186.101Recon IPUCLOUD Shenzhen, hostname mail[.]ymmmeui[.]cn
45.149.241.135Ransom IPCentral Technology Ltd, UK, Wave 1, DBCODE 2X4Q2
194.48.251.149Ransom IPIP-Projects/AMEE TECH, NL, Wave 2, DBCODE 2RIRI
194.48.251.49Ransom IPIP-Projects/AMEE TECH, NL, Wave 3, DBCODE 2A0KU
bc1qunqtf8zqxwkwyp4xrx5jpvuxmmeyxc2jd97zlxBTC WalletRansom collection address
bc1qwfl5x7qwgttnqkrhxjauma4gpwjjt57clu7me4BTC WalletFirst-hop cash-out
bc1q2rr03kc7p04hk0rxdkwmpsm3pdezcd0l960qy2BTC Wallet15-victim aggregation wallet (0.35 BTC)
bc1qa6eur8flph9dr44j4tggxn0mcjtm8dzcdaqzvhBTC WalletFinal destination, emptied to operator consolidation
3Pc8g6LJcfT3nEZNj4PPP6GHZYEBT3xUNABTC WalletOperator consolidation wallet (4.24 BTC across 8 addresses)
bc1qq904ynep5mvwpjxdlyecgeupg22dm8am6cfvgqBTC WalletCollection address with confirmed Kraken deposits
Kraken.comExchangeCash-out exchange, 3 deposits confirmed via WalletExplorer (Sept 2025)
dzen+<DBCODE>@onionmail.orgEmail PatternPer-victim ransom contact
2info[.]winDomainRansom instructions (EGIHosting Romania, AS215659)
https://is[.]gd/yotuquURLShortened redirect to payment page
RECOVER_YOUR_DATADetectionTable/database name created by ransom automation

Intercept Cell Research is a Cipher Cortex research program. Hooked Scams is a scam investigation series from Intercept Cell Research.