Cloned VM Image, Three Cryptojacking Panels, One Delivery Chain
I was hunting something else entirely when I stumbled into a cryptojacking operation. Three IP addresses running PureMiner mining panels, all exposing their open directories. Two of them are byte identical clones of the same Windows VM image, proven by identical RDP certificates, SMB server GUIDs, and machine names. The third is connected via a shared PowerShell dropper. When I checked the three nodes against the feeds, the coverage was a patchwork: one node was flagged in some places and invisible in others, and one was missing from everything I checked. I mapped all of them, decoded the actual injected payloads, and found the operation is not just cryptojacking, it runs an AsyncRAT build configured to profile victims for cryptocurrency wallets and flag high value theft targets.
The short version
- Three IP addresses running PureMiner cryptojacking panels, all in open directories. Two are byte identical clones of the same VM image (identical RDP certs, SMB GUIDs, machine names). The third is tied via a shared dropper.
- Feed coverage across the three nodes is a patchwork. Checking against two separate feeds (ThreatFox and OTX), one node was known in both, one was missing from ThreatFox but already sat in 33 OTX pulses, and one was absent from both. That last one is the genuinely new node.
- The Bangkok node stages process injection delivery using AutoHotkey scripts that decode and hollow inject PE binaries into suspended AppLaunch.exe processes.
- The decoded payloads are a known AsyncRAT variant (58/76 VT detections) and a second AsyncRAT based build configured as a cryptocurrency wallet stealer that profiles victims by scanning for installed crypto wallet browser extensions and checking 2FA status.
- The operation is a target profiling pipeline: Stage 1 profiles victims for wallets, Stage 2 deploys crypto theft tools to high value targets.
How I got here
I was hunting something unrelated on Censys, pivoted on a different lead entirely, and by accident landed on a PureMiner panel sitting in an open directory on a host that was also running AsyncRAT. That host turned up in the feeds. But when I pulled its details, I noticed something odd: the RDP certificate and SMB server fingerprints looked like they had been copied byte for byte to another host on a different provider. Then a third node turned up in the dropper configuration. By the time I was done, I had three nodes, all connected by infrastructure forensics rather than by anything the feeds handed me.
The point is that feed coverage is not complete, and machines leave fingerprints when you look at the right data. An RDP certificate is not a mystery, it is a copy paste operation. An SMB server GUID is a cloned drive. A machine name is a template image. These are the tells that real operators do not think about.
The nodes
172.94.18[.]103 (M247 Europe, Frankfurt DE)
Status: Known in both feeds. ThreatFox entry since October 2025 (AsyncRAT), and 50 pulses on OTX. VT 15/91 detections. This is the operation's known anchor node.
This host is running PureMiner on port 80 with an open directory. It also listens for AsyncRAT C2 on ports 73, 75, 76, 79, and 80. The exposed directory contains server.pfx (the RDP host private key) and usersettings.json (the mining configuration, 107 KB, showing pool addresses, profitability algorithm weights, and the payout wallet). The DDNS fronts proxey[.]publicvm[.]com and panel[.]freeddns[.]org both resolve to this IP.
46.105.149[.]77 (OVH SAS, Gravelines FR)
Status: The feed gap case. ThreatFox returned no result, but OTX already had it in 33 pulses. VT 2/91 (noise). So this node was invisible to one feed while well documented in another, which is exactly the single feed blind spot worth paying attention to.
This host is a byte identical clone of 172.94.18[.]103. Proof:
- RDP host certificate: identical SHA 256
0254cdb43059463dc3c6c752a629ce7afe79b83e6a3f24bfa799d5540585a633 - Certificate serial: 42080847443163672693097279193958762668 (same)
- SMB server GUID:
…48bdf0df8a67e040aab8fdd21d197710(same) - Computer name: KSKGNROPECBQUBT (same)
- usersettings.json: identical body hash, same 107 KB, timestamp 2026 05 07
The operator cloned the entire VM image to a second provider. This is not coincidence or shared tooling, this is infrastructure replication. The machine names, certificates, and GUIDs are interior state that does not get reused unless the entire disk was copied.
128.1.79[.]99 (UCLOUD Information Technology, Bangkok TH)
Status: The genuinely new node. Absent from both ThreatFox (no result) and OTX (no prior pulses until mine). VT 1/91 (noise). This is the one node in the cluster that neither feed had seen.
This host is tied to the cluster via the PowerShell dropper enyhxk.ps1 (SHA 256 3b19ba5c3212bde4570940d81aa5b34ff1d9138961556aedf498dda616dbced5), which is a trojan.boxter loader. The VirusTotal report for this dropper lists its contacted_ips as 128.1.79[.]99, 172.94.18[.]103, and 8.8.8[.]8. The Bangkok node also stages the injection machinery: folders /pp/ and /ss/ contain AutoHotkey process injection scripts and encoded PE payloads.
165.154.184[.]75 (UCLOUD Information Technology, Bangkok TH)
Status: Flagged but feed thin. ThreatFox no result. VT 8/91 (malicious consensus).
This host is the plugin and payload distribution server. The miner configurations on 46.105.149[.]77 and 128.1.79[.]99 reference hxxp://165.154.184[.]75/New2026/plugin{1,2,3}.bin. VirusTotal already flagged this host as malicious, but ThreatFox had not indexed it. Known bad to one source, missing from another, which is the same coverage gap pattern the rest of the cluster shows.
The delivery machinery and process injection
The Bangkok node stages a sophisticated delivery chain using process injection and in memory PE loading. Two folders, /pp/ and /ss/, each contain three components:
real.exe/s.exe, stock AutoHotkey v1.1.37.02 interpreter (not malicious on its own)real.ahk/s.ahk, process injection scripts (the malicious component)a2026.png/s.png, encoded PE binaries in CSV format
The .ahk scripts implement a process hollowing technique: they read the encoded PNG file (comma separated decimal numbers), decode it by multiplying each value by a factor (2 or 4), and inject the resulting PE executable into a suspended AppLaunch.exe process using a sequence of Windows API calls (CreateProcess, ReadProcessMemory, WriteProcessMemory, SetThreadContext, ResumeThread). The decoded payloads are injected into memory without touching the filesystem, leaving no direct traces.
The decoded payloads
Both decoded PE files are 66,560 bytes, PE32 .NET assemblies compiled in Visual Basic .NET. I decoded them by reversing the PNG encoding (multiplying CSV decimal values by 2 or 4) and then decompiled them to determine actual functionality.
a2026_decoded.exe (decoded from a2026.png, multiply by 2)
- SHA 256:
4dd0748c0296953a216bbf962c2ebdf228463536ad6974dc38cb37425db6e422 - Threat: trojan.asyncrat/msil
- VirusTotal: 58/76 vendors flagged as malicious
- Status: Known RAT family, documented in threat feeds
This is a recognized AsyncRAT variant. AsyncRAT is a known remote access trojan sold on underground markets. The presence of a known RAT alongside the crypto stealer (below) suggests a two stage delivery: first profile the victim, then deploy the RAT for manual control once high value targets are identified.
s_decoded.exe (decoded from s.png, multiply by 4), AsyncRAT Build Configured as a Wallet Stealer & Target Profiler
- SHA 256:
8be38944888bfccf63a61956707a9fc53654e2b70e5adfec860235a9afaaad24 - Threat: AsyncRAT based build, wallet stealer configuration
- VirusTotal: Not detected by static scan, but sandbox detonation confirms behavior
- Status: Decompiled and detonated, fully characterized
This payload was not sitting in a feed waiting to be found. I pulled the encoded staging file s.png from the open directory on 128.1.79[.]99, applied the cipher transform the AutoHotkey script uses (the CSV float values, multiplied by 4) to reconstruct the original PE, and generated the hash above from the decoded binary. It was absent from VirusTotal at that point, and I submitted both the sample and the indicators afterward. The decode is what surfaced it.
I first thought this was a wholly new standalone stealer. Detonating it in a sandbox corrected that. The backbone is AsyncRAT, a known family, the sample creates the signature AsyncRAT mutex AsyncMutex_6SI8OkBSS, which is a known default and confirms the family but does not tie it uniquely to this operator. What is distinctive here is the configuration: this build is set up to hunt cryptocurrency wallets, and it calls a fresh C2 I had not seen before.
Once you account for the AsyncRAT base, the wallet targeting behavior (confirmed by both decompilation and detonation) is the interesting part. Upon execution it performs the following reconnaissance:
System Profiling: Collects HWID (hardware fingerprint), username, Windows version, admin status, and installed antivirus/security products. This creates a unique victim identifier.
Crypto Wallet Detection: Scans for installed cryptocurrency wallet browser extensions across Chrome, Edge, Firefox, and Brave. Specifically checks for MetaMask, TrustWallet, TronLink, Bitcoin Core, Ledger Live, Trezor Suite, Exodus, Atomic Wallet, and Binance. This identifies which victims hold cryptocurrency.
2FA Detection: Checks whether Bitcoin Core has 2FA authentication enabled. This is the critical targeting filter, victims with 2FA are low value targets (harder to steal from), while victims without 2FA are flagged as high priority.
Live C2: Sandbox detonation surfaced a fresh callback at 34.171.51[.]66:190 (Google Cloud). That is a new IOC for this specific build, separate from the cluster panels.
All this data is packaged and sent back to the C2. The operator uses this intelligence to decide which victims to pursue further. Victims with multiple unprotected wallets and no 2FA are the targets for the next stage: a cryptocurrency clipper or transaction hijacker that will steal outbound crypto transfers.
So the honest framing is an AsyncRAT build wearing a wallet stealer configuration, not a brand new malware family. The base is borrowed and credited; the targeting config and the fresh C2 are the parts worth reporting.
What I am not claiming
On the machine cloning: I proved they are clones by the certificates, GUIDs, and machine names. I did not pull the disks or prove they were cloned at a specific time. But the evidence is airtight: an RDP cert and SMB GUID do not duplicate unless the entire disk was copied.
On the operator: I do not have a persona, a wallet address (though it is probably in the usersettings.json payout field, which I chose not to pull), an email, or any person level identification. This is pure infrastructure attribution. The operator will likely redeploy this image to new providers once they know it got reported, so the tracking signature is the machine identity KSKGNROPECBQUBT, which will catch the next clone.
On the next stages: The wallet stealer profiles victims, but I did not capture the actual crypto theft tools (the clipper or drainer that would follow). Those are likely deployed separately to high value targets once the operator reviews the profiling data. I also did not pull the operator's cryptocurrency payout wallet, which would identify their funding flow. Both are deliberate choices to avoid operator loot fetches.
The tracking signature
The operator is cloning this Windows VM image across hosting providers. Future instances will carry the same interior identifiers:
Computer name: KSKGNROPECBQUBT
RDP certificate CN: KSKGNROPECBQUBT
RDP certificate SHA-256: 0254cdb43059463dc3c6c752a629ce7afe79b83e6a3f24bfa799d5540585a633
SMB server GUID: …48bdf0df8a67e040aab8fdd21d197710
In Censys, use either of these queries to catch future clones:
host.services.cert.parsed.subject_dn="CN=KSKGNROPECBQUBT"
host.services.cert.fingerprint_sha256="0254cdb43059463dc3c6c752a629ce7afe79b83e6a3f24bfa799d5540585a633"
As of June 12, 2026, Censys reports exactly two clones on these signatures. Both are the ones I already identified. When the operator replicates to a new provider, this query will catch it immediately.
Indicators
C2 Nodes
172.94.18[.]103 M247 DE PureMiner + AsyncRAT C2 KNOWN (ThreatFox + OTX)
46.105.149[.]77 OVH FR PureMiner (clone) OTX-known, ThreatFox-absent
128.1.79[.]99 UCLOUD Bangkok PureMiner + injection staging NEW (absent from both feeds)
Payload Distribution, DDNS & Sample C2
165.154.184[.]75 UCLOUD Bangkok plugin/payload host (VT 8/91)
34.171.51[.]66:190 Google Cloud s_decoded.exe live C2 (from detonation)
proxey[.]publicvm[.]com → 172.94.18[.]103 operator DDNS front
panel[.]freeddns[.]org → 172.94.18[.]103 operator DDNS (host reported)
Malware Samples
3b19ba5c3212bde4570940d81aa5b34ff1d9138961556aedf498dda616dbced5
enyhxk.ps1 — PowerShell boxter loader
eee4f6c96ed1a8390ea884e5abdc5be2746bf9407466d4dff0a48f862c074dfc
FileDeployer.exe — crysan dropper
d0774f8d94ca78dc6b159b23d0a2471a0f9a6fb2bb21463fe9b9f6050e95f4c1
intell.exe — VB.NET loader
effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696
s.exe / real.exe — AutoHotkey interpreter (carrier)
4dd0748c0296953a216bbf962c2ebdf228463536ad6974dc38cb37425db6e422
a2026_decoded.exe — AsyncRAT/MSIL (58/76 VT)
8be38944888bfccf63a61956707a9fc53654e2b70e5adfec860235a9afaaad24
s_decoded.exe — AsyncRAT build, wallet stealer config
Live C2: 34.171.51[.]66:190 (Google Cloud) · Mutex: AsyncMutex_6SI8OkBSS
What to actually do about it
If you are defending a network: Block the three C2 IPs and the payload host. They are the immediate threats. Hunt for the behavior: process injection via PowerShell dropper into hidden folders, AutoHotkey process hollowing, and encoded PE staging. This campaign will rotate hosts, but the machine identity KSKGNROPECBQUBT will catch the next clone. Report it to ThreatFox and ShadowServer. The infrastructure is wide open; the control side is dark for now.
If you are a regular person: Cryptojacking does not usually come with a lure page like ClickFix. It usually hits you through a watering hole, a vulnerable service, or a compromised third party. The risk is mostly background CPU theft and electricity costs. If you think you are infected, disconnect from the network, get the machine checked by someone who knows how, and change your passwords from a different device.
The honest wrap up
This started as an accident (I was looking for something else entirely) and turned into a complete infrastructure map. The three node cluster is real, the cloning is real, the delivery chain is real, and the decoded payloads are in my hands. The feed coverage told its own story: one node known in both ThreatFox and OTX, one missing from ThreatFox but already in 33 OTX pulses, and one absent from both. One payload is documented (AsyncRAT), one was new to the feeds. The patchwork is the point. The same node can be known in one feed and invisible in another, and the gaps run in both directions, which is exactly the kind of thing that slips through when you trust a single source of top level IOCs instead of reading the fingerprints of the machines underneath.
The infrastructure is real, the machines are real, and the machines will behave the same way when the operator spins up the next clone. That is what the tracking signature is for.