158.94.211.92 · V11 domain recycled · lure naturlexikon-bayern.deA further iteration of this ClickFix cluster is live, delivered from a newly-compromised German charity website. The threat actor remains unattributed — tracked as an unknown APT using AS202412 infrastructure. ("Omegatech LTD" is the registered operator of AS202412, a Seychelles bulletproof-hosting AS — the infrastructure provider, not a confirmed actor identity.)
Continuity is imphash-confirmed: the Donut/.NET loader carries imphash
edc8ef44e1870aad7a3e58dab17f8e1b — byte-identical to V12, with the same seven sections
including .fptable. Recompiled, not rewritten: the same source tree.
Assessed V12.1, not V13. The version-defining chain config (stage path, payload name, TDS, EtherHiding) and the .NET core are unchanged. What changed is packaging and plumbing: a new native downloader stage, rotated infrastructure, and a recycled V11 domain.
naturlexikon-bayern.de — a legitimate Bavarian nature encyclopedia run by the St. Anne Stiftung (charitable foundation; site © 2013, likely unmaintained CMS). Hosted 188.40.29.134 (Hetzner).dntds.shop → 178.16.53.137 unchanged from V12.eth_call get() (selector 0x6d4ce63c) against BSC-testnet contract 0xFB448D…D469d via bsc-testnet-rpc.publicnode.com.s671oa11sh717t0q is non-hex filler — a fake credential, same tell as V12's challengeHash being SHA-256 of the empty string.digitalenterprise2026.com — the V11 domain, re-pointed to 158.94.211.92 (NEW /24) — serves /s_enterprise, a ~1.6 KB C# in-memory loader script (Add-Type + VirtualAlloc/Marshal, T1027.004)./enterprise/student_s.bin. Absent in V12 — a different toolchain from the MSVC-built .NET core.4D 5A 45 52 + E8 GetPC), wrapping the .NET loader (284,160 B, imphash identical to V12).| Trait | Status in V12.1 |
|---|---|
.NET loader imphash edc8ef44… + 7 sections incl. .fptable | IDENTICAL to V12 — same source tree (strongest continuity signal) |
TDS dntds.shop → 178.16.53.137 | Unchanged |
Stage path /s_enterprise · payload student_s.bin | Unchanged (V12 lineage) |
| BSC-testnet EtherHiding | Retained |
| obfuscator.io RC4/rotate loader family | Retained (V7 → V12.1) |
| Compromised-legit lure delivery | Retained (ES → PH/PK → DE) |
| Native MinGW-w64/GCC-15 WinHTTP downloader stage | NEW — absent in V12 |
| Stage-2 IP | NEW — 158.94.211.92 (V12: 158.94.208.104) |
| C2 domain | RECYCLED — V11's digitalenterprise2026.com re-pointed to new IP |
| MZER polyglot Donut header | RESTORED (V12/ejecutivos used a bare E8 stub) |
| ClickFix paste vector | EVOLVED — Win+X → Terminal (was Win+R) |
Detection note: because V12.1 pairs the V11 C2 domain with the
V12 stage config, the SecureLeaf rules AS202412_Chain_V11 and AS202412_Chain_V12
fire simultaneously on the detonation capture. That co-fire is itself a V12.1 signature.
It also confirms the earlier finding that chain config is pinned per compromised host by its injected implant —
V11, V12 and V12.1 are live concurrently, so V11 IOCs are not retired.
| Indicator | Role |
|---|---|
| 158.94.211.92 | Stage-2 / payload delivery (NEW /24) — reportable |
| digitalenterprise2026.com | C2 — V11 domain recycled onto the new IP — reportable |
| dntds.shop → 178.16.53.137 | TDS / loader host (unchanged) — reportable |
| naturlexikon-bayern.de → 188.40.29.134 | VICTIM — compromised charity site (Hetzner). Notify; do not hard-blocklist |
| bsc-testnet-rpc.publicnode.com | EtherHiding RPC — shared-legit, DO NOT BLOCKLIST |
| 0xFB448D465841C63F3bC433be61Eb692b813D469d | BSC-testnet EtherHiding contract (get() = 0x6d4ce63c) — durable, track |
| Pattern |
|---|
| /s_enterprise |
| /enterprise/student_s.bin |
| Artifact | SHA-256 |
|---|---|
| dntds.shop JS loader (V12.1 build) | 730e7bff19c481cf279f2b094fff0ff1d2899753e1974c4a7433e5c14f0e1d1b |
Donut/.NET loader student_s.bin (284,160 B) | 0edbd4b91d63f9804f90aeee408302936d87fdbda2fb8dbb6f83868861f9c613 |
| NEW native MinGW WinHTTP downloader (50,688 B) | 6270f38bdf27aebb108331a484220a8bc0b9a1e6a2c4bba6dad89a2f3665bca5 |
Stage-2 /s_enterprise C# loader script (1,649 B) | 97b6418b623caf2de8fa59d69f348eb1cf5e48eb5d5f1d651813718bf474f42e |
| Lure page capture (MHTML) | 2f1026bfa373355217c0e52e123629b842903bfc4925e7d5b53142fea3977cd1 |
.NET loader imphash edc8ef44e1870aad7a3e58dab17f8e1b (== V12) · native downloader imphash 8e7b065c967657cca657d11206f96e23 (new)
| Build | Compiled (UTC) | CEST | Beijing |
|---|---|---|---|
| V12 ejecutivos .NET loader | 2026-07-07 00:48:10 | 02:48 | 08:48 |
| V12.1 inner PE | 2026-07-13 15:40:43 | 17:40 | 23:40 |
| V12.1 Donut/.NET loader | 2026-07-16 16:57:40 | 18:57 | 00:57 |
| V12.1 native downloader | 2026-07-16 20:13:25 | 22:13 | 04:13 |
Two builds ~3 h apart on 2026-07-16 indicate a single working session; the loader was compiled roughly five hours before observed detonation. Three of four cluster 15:40–20:13 UTC (European afternoon/evening). Caveat: PE timestamps are trivially forgeable and n=4. Treat as weak corroboration only — never as attribution.
YARA: as202412_v12_1_otx.yar — 6 self-contained rules (OTX-ingestable):
MZER_Donut_Header (cluster fingerprint, matches at offset 0), V12_1_Native_Downloader,
V12_1_Network_Indicators, EtherHiding_Contract_Read, V12_1_KnownHashes,
Loader_Obfuscator_V12_1. STIX 2.1: SL-ADV-2026-WP-001-V12.1.stix.json.
Response: notify the St. Anne Stiftung and escalate to Hetzner abuse for the compromised lure;
submit 158.94.211.92, digitalenterprise2026.com, dntds.shop /
178.16.53.137 to AbuseIPDB / OTX. Hunt endpoints for the ClickFix cradle, for
mscoree-loaded children of powershell.exe, and for any file beginning
4D 5A 45 52. The BSC RPC endpoint and the public chain are shared-legit — detect behaviourally,
do not blocklist.