Security Advisory · 2026-06-15

Omegatech EtherHiding
ClickFix V10

A new standalone EtherHiding loader (css.js, masquerading as an Elementor stylesheet) delivered via a new lure site, jbhtech.org.il. The EtherHiding payload-pointer mechanism (BSC-testnet contract 0x7Fd85c09...aaEb0E437) is unchanged from V8/V9 — but everything downstream of it has reverted to the V8 baseline: PS C2 158.94.208.92 (not V9's 91.92.240.121), payload names my_newest_ll.png / my_s.bin (not V9's student_*.bin), and a C# P/Invoke stub (BXZszqpgJvpmr) using V8's tid naming, not V9's sid. Secondary and post-exploitation stages (PS loader logic, VirtualAlloc/CreateThread injection, Donut-class shellcode) are structurally identical to V8/V9.

123,859 B

css.js — new V10 loader size

WhatConverts refs in css.js

Infra generation reverted to

EtherHiding RPC endpoints (1 primary + 3 fallback)

312,832 B

my_s.bin — PE, compiled 2026-06-03

Cross-Reference

📋

V10 supports SL-RETRACT-2026-001

The 2026-06-13 retraction (SL-RETRACT-2026-001) determined that s.ksrndkehqnwntyxlhgto.com, p.ksrndkehqnwntyxlhgto.com, and process.iconnode.com are legitimate WhatConverts SaaS infrastructure, coincidentally co-resident on the V9 lure site (williamhale.co.uk) — not part of the Omegatech chain.

V10's full static deobfuscation of css.js (123,859 bytes, all 51,749 decode calls resolved in a sandboxed Node vm) found zero references to WhatConverts, iconnode.com, ksrndkehqnwntyxlhgto.com, or 137116 anywhere — and the V10 PCAP shows no DNS activity for any of those domains at all. The jbhtech.org.il lure site does not appear to run WhatConverts. This is independent confirmation that the retracted domains were never part of this loader family: the Omegatech chain's only constant cross-version anchor is the EtherHiding contract + dntds.shop.

Kill Chain

STAGE 0T+0.00s | PCAP 17cf4017

Lure page — jbhtech.org.ilNEW V10

Compromised WordPress · Israeli Haredi hi-tech vocational training organisation (JBH)

Injected <script> loads css.js (123,859 bytes) from the compromised page — named/styled to pass as an Elementor stylesheet asset, not a tracker masquerade.

www.jbhtech.org.il resolves to Cloudflare (172.67.143.40 / 104.21.46.236).

No WhatConverts / ad-analytics co-installation observed on this page (see Cross-Reference).

First identified via sinkhole referrer https://www.jbhtech.org.il/ on secureleaf.dispensight.com/sink.html, 2026-06-14.

IOCjbhtech.org.il · 172.67.143.40 / 104.21.46.236 (Cloudflare)

STAGE 1EtherHiding lookup · DNS confirmed in PCAP

EtherHiding — BSC-testnet payload pointerUNCHANGED V8/V9/V10

css.js resolves next-stage URL via blockchain eth_call — never hardcoded

css.js performs POST eth_call to bsc-testnet-rpc.publicnode.com:

{"jsonrpc":"2.0","method":"eth_call","params":[{"to":"0x7Fd85c090f2b35071C57a3b9FeAF462aaEb0E437","data":"0x6d4ce63c"},"latest"],"id":222198}

Contract address 0x7Fd85c09...aaEb0E437 and selector 0x6d4ce63c are identical to V8 and V9-corrected — the one architectural constant across all three variants.

Fallback RPC list recovered from deobfuscated css.js: bsc-testnet.bnbchain.org, data-seed-prebsc-1-s1.bnbchain.org:8545, bsc-testnet.drpc.org, with an "All RPC nodes failed" terminal error string.

PCAP confirms DNS query for bsc-testnet-rpc.publicnode.com → 172.66.150.162 / 104.20.24.117 (Cloudflare-fronted), immediately preceding the TLS handshake to dntds.shop.

publicnode.com is a legitimate public BSC RPC provider — not itself malicious, but abused as a censorship-resistant dead-drop for the current ClickFix delivery endpoint.

CONTRACT0x7Fd85c090f2b35071C57a3b9FeAF462aaEb0E437 · selector 0x6d4ce63c · bsc-testnet-rpc.publicnode.com

STAGE 2TLS SNI confirmed · dntds.shop

ClickFix delivery — dntds.shopUNCHANGED V8/V9/V10

EtherHiding eth_call resolves to the same TDS host as V8/V9

TLS 1.3 connection to dntds.shop (178.16.53.137 · AS202412 · Seychelles BPH), SNI confirmed in ClientHello.

Path not recoverable — TLS 1.3, no decryption attempted (consistent with policy: this is a one-way confirmation of host contact, not payload content recovery).

Per the V9-corrected delta, V8 used /jsrepo?rnd= and V9 used /teamrepo?rnd= on this same host — both serve the obfuscated ClickFix overlay JS that renders the fake-Cloudflare CAPTCHA and writes the PowerShell command to clipboard.

Fake-CAPTCHA → "Press Win+R, paste, Enter" social engineering pattern assumed unchanged (not independently re-verified for V10 due to TLS).

DOMAINdntds.shop · 178.16.53.137 · AS202412

STAGE 3HTTP plaintext · 1,590 bytes recovered

PowerShell download cradle — 158.94.208.92REVERTED TO V8

PS C2 IP reverts from V9's 91.92.240.121 back to V8's 158.94.208.92

GET http://158.94.208.92/ — bare IP, no TLS. Server: Apache/2.4.66 (Debian), UA: WindowsPowerShell/5.1.19041.4046. This is V8's IP, not V9's rotated 91.92.240.121.

Response: 1,590-byte PowerShell script (Content-Type: text/html), fetches http://158.94.208.104/x7GkP2mQ9zL4/my_newest_ll.png via Invoke-WebRequest.

Embeds C# here-string defining class BXZszqpgJvpmr: GetCurrentProcess, VirtualAlloc(IntPtr a, uint sz, uint t, uint p), CreateThread(IntPtr ta, uint ss, IntPtr sa, IntPtr p, uint cf, out uint tid), WaitForSingleObject(IntPtr h, uint ms) — all from kernel32.dll.

Out-parameter named tid — matches V8's naming, not V9's YARA-evasion rename to sid.

VirtualAlloc flags 0x1000 | 0x2000 = 0x3000 (MEM_COMMIT|MEM_RESERVE), protection 0x40 (PAGE_EXECUTE_READWRITE). WaitForSingleObject timeout 30,000ms. Identical constants to V8/V9.

HASHPS stager SHA256: 12D19B6DD30E0EE8CA45DF943FAF7EC0BB4AF21B7CC8EC28B492AFF38FDC0445 (1,590 bytes)

STAGE 4HTTP plaintext · both binaries confirmed

Payload fetch — 158.94.208.104/x7GkP2mQ9zL4/FILENAMES REVERTED TO V8

my_newest_ll.png + my_s.bin — V8's original names, not V9's student_*.bin

GET /x7GkP2mQ9zL4/my_newest_ll.png → 53,323 bytes. Server: Apache/2.4.52 (Ubuntu), Content-Type: image/png, Last-Modified: 2026-06-03. First bytes e8 c0 6d 00 00 c0 6d 00 00 = x86 CALL opcode, not a valid PNG — raw Donut shellcode. Same e8 c0 6d 00 signature documented in V8/V9 memory dumps.

GET /x7GkP2mQ9zL4/my_s.bin → 312,832 bytes. Content-Type: application/octet-stream, Last-Modified: 2026-06-03. x64 PE (MZ header), PE compile timestamp 2026-06-03 17:12:43 UTC.

Imports mscoree.dll: CorBindToRuntime, CLRCreateInstance, CorExitProcess — native CLR-hosting loader, consistent with the Donut-class loader attribution (8/8 static indicators) from V8 memory-dump analysis. Sections: .text/.rdata/.data/.pdata/.fptable/.rsrc/.reloc.

Contains the string size95.exe — matches the V8 dropper artifact name documented in prior memdump analysis.

Both files use V8's original my_* names (V9 renamed these to student_l.bin / student_s.bin as YARA evasion). The shared Last-Modified: 2026-06-03 date on both V10 files strongly suggests these are the same underlying binaries as V8, simply still being served under their original filenames — i.e. the staging server's file set never changed; only V9 temporarily served path aliases.

Path prefix /x7GkP2mQ9zL4/ on 158.94.208.104 — unchanged across V8, V9, and V10.

IOCmy_newest_ll.png SHA256: 9BB96FA6...A17C22FC + my_s.bin SHA256: 0A60144D...D428C11 · AS202412

STAGE 5In-memory · pattern-consistent, not independently re-detonated

Shellcode injection — VirtualAlloc → CreateThreadSTRUCTURALLY UNCHANGED

BXZszqpgJvpmr compiles via Add-Type/csc.exe, injects Donut-loaded my_s.bin

Add-Type compiles the BXZszqpgJvpmr stub via csc.exe in-memory (T1027.004 — compile after delivery), same mechanism as V8/V9's flferzre/zgxr4teh stubs.

VirtualAlloc(IntPtr.Zero, len(my_newest_ll.png), 0x3000, 0x40) → RWX page · Marshal.Copy writes the 53,323-byte Donut blob · CreateThread → WaitForSingleObject(30000).

Donut loader executes, reflectively loads my_s.bin (CLR-hosting PE) — expected to inject into a host process (V8/V9 observed svchost.exe CDPUserSvc); not independently re-confirmed for V10 as the supplied PCAP does not capture post-injection behaviour.

Tier-1 dev fingerprint: abbreviated P/Invoke params (a, sz, t, p, ta, ss, sa, cf, h, ms) — third distinct class name (flferzre → zgxr4teh → BXZszqpgJvpmr) wrapping an unchanged template. Out-param naming oscillates tid (V8) → sid (V9) → tid (V10).

RAT C2 check-in (V9: 91.92.243.161:3038) not observed in this PCAP — either not reached within the capture window, or this stage's C2 also reverted to a V8-era endpoint not captured here.

CLASSBXZszqpgJvpmr · out uint tid · VirtualAlloc 0x3000/0x40 · WaitForSingleObject 30000ms

Infrastructure Staging — Reactivated V8 Baseline

158.94.208.92

RolePS download cradle — serves stage-2 PowerShell on bare GET /

ServerApache/2.4.66 (Debian)

V8Primary PS C2 — confirmed

V9Rotated to 91.92.240.121 (per corrected advisory)

V10Reactivated — same IP as V8, same response structure

158.94.208.92 was never decommissioned; V9's IP rotation appears to have been a parallel/temporary branch rather than infrastructure retirement.

158.94.208.104

RolePayload staging — /x7GkP2mQ9zL4/ path prefix

ServerApache/2.4.52 (Ubuntu)

V8my_s.bin + my_newest_ll.png, Last-Modified 2026-06-03

V9Same files served as student_s.bin / student_l.bin (alias rename)

V10Original my_* names again, same Last-Modified 2026-06-03

Identical Last-Modified date across V8 and V10 strongly suggests one persistent file set on disk, referenced under different path aliases per campaign generation.

V8 / V9 / V10 — Three-Way Delta

Component	V8	V9 (corrected)	V10
Lure site	penrosept.com (PT clinic, US)	williamhale.co.uk (CCTV, UK)	jbhtech.org.il (hi-tech ed., IL)NEW
Initial loader	Injected script (host plugin masquerade)	VM50 (~1.25 MB, RC4+base64 obfuscator.io)	css.js (123,859 B, standalone obfuscator.io)NEW
EtherHiding	bsc-testnet-rpc.publicnode.com · 0x7Fd85c09...E437 · 0x6d4ce63c	Unchanged	Unchanged — confirmed again
ClickFix TDS	dntds.shop/jsrepo?rnd=	dntds.shop/teamrepo?rnd=	dntds.shop (path not recoverable, TLS 1.3)
PS C2 IP	158.94.208.92	91.92.240.121ROTATED	158.94.208.92REVERTED TO V8
RAT C2 IP	158.94.208.104	91.92.243.161:3038ROTATED	not observed in capture
Staging server	158.94.208.104	158.94.208.104 (unchanged)	158.94.208.104 — unchanged
Staging path	/x7GkP2mQ9zL4/	/x7GkP2mQ9zL4/ (unchanged)	/x7GkP2mQ9zL4/ — unchanged
Payload names	my_s.bin / my_newest_ll.png	student_s.bin / student_l.binYARA EVASION	my_s.bin / my_newest_ll.pngREVERTED TO V8
Payload hashes	(Last-Modified 2026-06-03)	(same files, aliased)	SHA256 0A60144D... / 9BB96FA6... (Last-Modified 2026-06-03 — same files)
C# stub class	flferzre	zgxr4teh	BXZszqpgJvpmrNEW NAME
C# out-param	tid	sidYARA EVASION	tidREVERTED TO V8
VirtualAlloc/CreateThread/WFSO consts	0x3000 / 0x40 / 30000ms	Unchanged	Unchanged
Donut loader	Confirmed (8/8 indicators)	Confirmed (inherited)	Consistent (mscoree.dll CLR-hosting imports, e8 c0 6d 00 shellcode signature)
Tier-1 dev fingerprint	Abbreviated P/Invoke params	Same operator	Same operator — abbreviated params persist across 3rd class rename
WhatConverts / iconnode.com	n/a	RETRACTED — unrelated WC infra (SL-RETRACT-2026-001)	Zero refs in css.js, zero DNS in PCAP — supports retraction

Forensic Findings — PCAP 17cf4017

STANDALONE LOADER
not a masquerade injection

Unlike V9's 137116.js (a 1,254-char malicious prefix prepended to a hijacked legitimate WhatConverts script), css.js is a fully self-contained 123,859-byte obfuscator.io file with no legitimate plugin code attached. It is named/served to blend in as an Elementor stylesheet asset rather than disguised as a known analytics tracker. This is a simpler, more portable masquerade — no dependency on finding a plausible "cover" plugin already installed on the victim site.

FULL STATIC
DEOBFUSCATION

css.js uses standard obfuscator.io: a 405-entry rotated string array (a0_0x4e99), an RC4+base64 decoder (a0_0x4a56) with internal caching, and 39 call-site wrapper functions. All 51,749 decode calls were resolved by running the decoder infrastructure (array + rotation IIFE + decoder function — inert string-table code) in a sandboxed Node vm with stubbed document/window/navigator/XMLHttpRequest (no real network egress). This is identical methodology to prior V8/V9 deobfuscation work.

SELF-DEFENSE
obfuscator.io standard

Decoded strings confirm standard obfuscator.io self-defending/anti-tamper code: regex (((.+)+)+) (catastrophic-backtracking decoy used in tamper checks), debugger statement trap, console.log/warn/info/error/exception/table/trace hooking, and a while(true){} infinite-loop tamper response. These are generic toolchain artifacts, not bespoke malware logic.

ETHERHIDING
request captured

The sandboxed execution captured the exact eth_call request css.js constructs: POST https://bsc-testnet-rpc.publicnode.com with body

{"jsonrpc":"2.0","method":"eth_call","params":[{"to":"0x7Fd85c090f2b35071C57a3b9FeAF462aaEb0E437","data":"0x6d4ce63c"},"latest"],"id":222198}

. The request was captured/logged only — not sent (sandbox XMLHttpRequest.send() is a no-op; publicnode.com is also outside this environment's network allowlist).

FILENAME
REVERSION

V9 renamed V8's my_s.bin/my_newest_ll.png to student_s.bin/student_l.bin specifically to evade a /my_*\.bin YARA pattern. V10 reverts to the original my_* names — re-exposing it to that exact pattern. Combined with matching Last-Modified: 2026-06-03 timestamps on both files, this suggests the staging server's underlying file set is a single persistent asset pool, with different campaign generations simply pointing at it under different aliases rather than rebuilding payloads per-campaign.

PE TIMESTAMP
2026-06-03 17:12:43 UTC

my_s.bin's PE header TimeDateStamp is 2026-06-03 17:12:43 UTC — the same date as the Last-Modified header on both V10 payload files. x64, MSVC linker 14.50 (VS2022), entry point 0x1618, ImageBase 0x140000000, DllCharacteristics 0x8160 (ASLR/DEP/CFG-aware). Full section entropy: .text (65,536B, 6.28) / .rdata (40,960B, 4.60) / .data (184,320B, 5.59) / .pdata (4,096B, 4.88) / .fptable (4,096B, 0.00 — entirely zero-filled, not a recognized packer-section signature; likely an unused linker artifact) / .rsrc (4,096B, 0.95) / .reloc (4,096B, 2.99), plus a 1,536-byte trailing overlay. No export table, no version resource. No embedded C2 strings found via ASCII string extraction in either payload — consistent with the C2 endpoint (158.94.208.92) being supplied externally via the PS stager rather than hardcoded in the binary.

CLR-HOSTING
ARCHITECTURE

my_s.bin imports mscoree.dll (CorBindToRuntime, CLRCreateInstance, CorExitProcess) plus OLEAUT32.dll SafeArray marshaling functions, with strings referencing mscorlib, System.Net.Sockets, System.Net, and __clrcall. This is a native C++ stub that bootstraps the CLR via the unmanaged hosting API to execute a managed component with networking capability — distinct from V8's documented equivalent, a compact 3.50KB compiled .NET DLL (/t:library, four kernel32 P/Invoke imports, no CLR-hosting layer). Given identical filenames, sizes, and a PE timestamp predating both detonations, the most likely explanation is that this CLR-hosting stub was already present in V8 and not fully characterized in the original advisory, rather than a V10-specific redesign. Recommend reconciling against an archived V8 my_s.bin sample to confirm hash equality.

DONUT BLOB
STRUCTURE CONFIRMED

Windowed entropy analysis (4KB blocks) of my_newest_ll.png confirms the documented two-region Donut structure: bytes 0x0–~0x7000 (≈28KB) at entropy 7.89–7.96 (Chaskey/RC4-encrypted .NET module payload), bytes ~0x7000–0xD03B (≈25KB) dropping to entropy 5.95–6.33 (Donut x64 loader stub — API-hashing tables, syscall stubs, decrypt routine). File-wide average 7.53. This matches the proportions of the V8 memdump finding (~27.4KB RC4-encrypted blob + ~24.6KB Donut stub, entropy 7.24/8.0), supporting same-payload-family attribution between V8 and V10's shellcode stage.

CLEAN OF
RETRACTED IOCs

Cross-checked css.js and both payload binaries against the three SL-RETRACT-2026-001 indicators (s.ksrndkehqnwntyxlhgto.com, p.ksrndkehqnwntyxlhgto.com, process.iconnode.com) and V9's other retracted-adjacent strings (137116, wc_profile_id, whatconverts-tracking-script-js): zero matches across all three files. V10 telemetry is fully consistent with the corrected V9 understanding of this cluster's true IOC set.

YARA Detection Rules

SecureLeaf_Omegatech_V10_CSharp_Loader

Detects the V10 P/Invoke stub (BXZszqpgJvpmr, tid param). OR-extended to also catch V8 (flferzre/tid) and V9 (zgxr4teh/sid) on the abbreviated-parameter Tier-1 fingerprint alone, independent of class name or out-param rename.

rule SecureLeaf_Omegatech_V10_CSharp_Loader {
  meta:
    description = "Omegatech ClickFix C# P/Invoke shellcode loader stub - V8/V9/V10 (Tier-1 dev fingerprint)"
    author      = "SecureLeaf / Dispensight"
    date        = "2026-06-15"
    reference   = "SL-ADV-2026-WP-001-V10"
  strings:
    $va     = "VirtualAlloc(IntPtr a, uint sz, uint t, uint p)" ascii
    $ct     = "CreateThread(IntPtr ta, uint ss, IntPtr sa, IntPtr p, uint cf" ascii
    $wfso   = "WaitForSingleObject(IntPtr h, uint ms)" ascii
    $interop= "System.Runtime.InteropServices" ascii
    $kernel = "kernel32.dll" ascii
    $tid    = "out uint tid" ascii  // V8 + V10
    $sid    = "out uint sid" ascii  // V9
  condition:
    $interop and $kernel and $va and $ct and $wfso and ($tid or $sid)
}

SecureLeaf_Omegatech_EtherHiding_Contract

Detects the EtherHiding payload-pointer eth_call pattern shared by V8, V9, and V10. Anchors on the contract address and method selector, which have been the single stable indicator across all three variants — independent of obfuscation layer, loader filename, or class naming.

rule SecureLeaf_Omegatech_EtherHiding_Contract {
  meta:
    description = "Omegatech EtherHiding BSC-testnet payload-pointer contract (eth_call) - stable across V8/V9/V10"
    author      = "SecureLeaf / Dispensight"
    date        = "2026-06-15"
    reference   = "SL-ADV-2026-WP-001-V10"
  strings:
    $contract = "0x7Fd85c090f2b35071C57a3b9FeAF462aaEb0E437" ascii nocase
    $selector = "0x6d4ce63c" ascii
    $ethcall  = "eth_call" ascii
    $rpc1     = "bsc-testnet-rpc.publicnode.com" ascii
    $rpc2     = "bnbchain.org" ascii
    $allfail  = "All RPC nodes failed" ascii
  condition:
    ($contract or $selector) and $ethcall and ($rpc1 or $rpc2 or $allfail)
}

SecureLeaf_Omegatech_Payload_URL_V8V10

Detects the Omegatech staging URL pattern under /x7GkP2mQ9zL4/, covering both V8/V10's my_* naming (reverted) and V9's student_* naming.

rule SecureLeaf_Omegatech_Payload_URL_V8V10 {
  meta:
    description = "Omegatech payload staging URL - path prefix survives V8/V9/V10 naming rotation"
    author      = "SecureLeaf / Dispensight"
    date        = "2026-06-15"
  strings:
    $path    = "/x7GkP2mQ9zL4/" ascii
    $my      = "my_"      ascii  // V8, V10
    $student = "student_" ascii  // V9
    $bin     = ".bin"     ascii
    $png     = ".png"     ascii
  condition:
    $path and ($my or $student) and ($bin or $png)
}

IOC Reference

Type	Value	Role / Notes
DOMAIN	jbhtech.org.ilNEW	V10 lure site. Israeli hi-tech vocational training org. Injected with css.js.
SHA256	13AFE5810D32E39F5FAD0B630A91D353937863803EF5D0D33F6DAD157205C4DDNEW	css.js — V10 standalone EtherHiding loader, 123,859 bytes. MD5: 6B7D357D8E83D802A12A4DBF8AAD9486.
DOMAIN	bsc-testnet-rpc.publicnode.com	EtherHiding RPC, primary. Legitimate service, abused as payload-pointer resolver. Unchanged V8/V9/V10.
CONTRACT	0x7Fd85c090f2b35071C57a3b9FeAF462aaEb0E437	BSC-testnet EtherHiding contract. Selector 0x6d4ce63c. Unchanged V8/V9/V10 — primary detection anchor.
DOMAIN	dntds.shop	ClickFix TDS. 178.16.53.137. V8 path /jsrepo, V9 path /teamrepo. Unchanged host V8/V9/V10.
IP	178.16.53.137	dntds.shop hosting IP, AS202412.
IP	158.94.208.92REVERTED	V10 PS download cradle. Same IP as V8 (V9 had rotated to 91.92.240.121). AS202412, Apache/2.4.66 Debian.
IP	158.94.208.104	Payload staging, /x7GkP2mQ9zL4/. Unchanged V8/V9/V10. AS202412, Apache/2.4.52 Ubuntu.
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_newest_ll.pngREVERTED	53,323 B. Raw Donut shellcode (e8 c0 6d 00...) served as image/png. V8 filename (V9: student_l.bin).
SHA256	9BB96FA6AEE45120D14660506320932691310ADEF4353E684775F590A17C22FC	my_newest_ll.png. MD5: 09AC9B813CB34DEDC439B26130C95F2D.
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_s.binREVERTED	312,832 B. x64 PE, mscoree.dll CLR-hosting imports, compiled 2026-06-03 17:12:43 UTC. V8 filename (V9: student_s.bin).
SHA256	0A60144D4C1554223E78AD52B31BA5E15284CC7DF18A77D3DD90CBCC7D428C11	my_s.bin. MD5: CA77F877A7678A42C107CF3E7CDEEE1F. Contains string "size95.exe".
SHA256	12D19B6DD30E0EE8CA45DF943FAF7EC0BB4AF21B7CC8EC28B492AFF38FDC0445	Stage-2 PS stager, 1,590 bytes, from 158.94.208.92. MD5: 5C861F86B1DB893A36B13A39FC061B03. Defines class BXZszqpgJvpmr.
CLASS	BXZszqpgJvpmrNEW NAME	V10 C# P/Invoke stub class name. out uint tid (V8 naming). 3rd distinct class name after flferzre (V8) / zgxr4teh (V9).