SL-ADV-2026-WP-001 · Version 12.1

Unknown APT (AS202412) — ClickFix → BSC EtherHiding → DonutLoader

V12.1 · new native MinGW stager · infra rotation to 158.94.211.92 · V11 domain recycled · lure naturlexikon-bayern.de
SEVERITY: HIGH TLP:CLEAR Actor: UNKNOWN APT · AS202412 infra Continuity: imphash-confirmed (same source tree) Published 2026-07-16 · Dispensight / SecureLeaf

Executive summary

A further iteration of this ClickFix cluster is live, delivered from a newly-compromised German charity website. The threat actor remains unattributed — tracked as an unknown APT using AS202412 infrastructure. ("Omegatech LTD" is the registered operator of AS202412, a Seychelles bulletproof-hosting AS — the infrastructure provider, not a confirmed actor identity.)

Continuity is imphash-confirmed: the Donut/.NET loader carries imphash edc8ef44e1870aad7a3e58dab17f8e1bbyte-identical to V12, with the same seven sections including .fptable. Recompiled, not rewritten: the same source tree.

Assessed V12.1, not V13. The version-defining chain config (stage path, payload name, TDS, EtherHiding) and the .NET core are unchanged. What changed is packaging and plumbing: a new native downloader stage, rotated infrastructure, and a recycled V11 domain.

Kill chain (V12.1)

Compromised lure. Victim loads naturlexikon-bayern.de — a legitimate Bavarian nature encyclopedia run by the St. Anne Stiftung (charitable foundation; site © 2013, likely unmaintained CMS). Hosted 188.40.29.134 (Hetzner).
TDS. obfuscator.io loader beacons dntds.shop178.16.53.137 unchanged from V12.
EtherHiding. eth_call get() (selector 0x6d4ce63c) against BSC-testnet contract 0xFB448D…D469d via bsc-testnet-rpc.publicnode.com.
ClickFix. Fake Cloudflare "Verify you are human" overlay. Paste vector evolved: Win+X → Terminal (earlier variants used Win+R → Run). The displayed Ray ID s671oa11sh717t0q is non-hex filler — a fake credential, same tell as V12's challengeHash being SHA-256 of the empty string.
Stage-2. digitalenterprise2026.com — the V11 domain, re-pointed to 158.94.211.92 (NEW /24) — serves /s_enterprise, a ~1.6 KB C# in-memory loader script (Add-Type + VirtualAlloc/Marshal, T1027.004).
NEW native stage. A MinGW-w64 / GCC-15 native x64 WinHTTP downloader (50,688 B) fetches /enterprise/student_s.bin. Absent in V12 — a different toolchain from the MSVC-built .NET core.
Payload. Donut shellcode with the MZER polyglot header restored (4D 5A 45 52 + E8 GetPC), wrapping the .NET loader (284,160 B, imphash identical to V12).

Continuity vs evolution

TraitStatus in V12.1
.NET loader imphash edc8ef44… + 7 sections incl. .fptableIDENTICAL to V12 — same source tree (strongest continuity signal)
TDS dntds.shop178.16.53.137Unchanged
Stage path /s_enterprise · payload student_s.binUnchanged (V12 lineage)
BSC-testnet EtherHidingRetained
obfuscator.io RC4/rotate loader familyRetained (V7 → V12.1)
Compromised-legit lure deliveryRetained (ES → PH/PK → DE)
Native MinGW-w64/GCC-15 WinHTTP downloader stageNEW — absent in V12
Stage-2 IPNEW — 158.94.211.92 (V12: 158.94.208.104)
C2 domainRECYCLED — V11's digitalenterprise2026.com re-pointed to new IP
MZER polyglot Donut headerRESTORED (V12/ejecutivos used a bare E8 stub)
ClickFix paste vectorEVOLVED — Win+X → Terminal (was Win+R)

Detection note: because V12.1 pairs the V11 C2 domain with the V12 stage config, the SecureLeaf rules AS202412_Chain_V11 and AS202412_Chain_V12 fire simultaneously on the detonation capture. That co-fire is itself a V12.1 signature. It also confirms the earlier finding that chain config is pinned per compromised host by its injected implant — V11, V12 and V12.1 are live concurrently, so V11 IOCs are not retired.

Indicators of compromise

Network

IndicatorRole
158.94.211.92Stage-2 / payload delivery (NEW /24) — reportable
digitalenterprise2026.comC2 — V11 domain recycled onto the new IP — reportable
dntds.shop → 178.16.53.137TDS / loader host (unchanged) — reportable
naturlexikon-bayern.de → 188.40.29.134VICTIM — compromised charity site (Hetzner). Notify; do not hard-blocklist
bsc-testnet-rpc.publicnode.comEtherHiding RPC — shared-legit, DO NOT BLOCKLIST
0xFB448D465841C63F3bC433be61Eb692b813D469dBSC-testnet EtherHiding contract (get() = 0x6d4ce63c) — durable, track

Paths

Pattern
/s_enterprise
/enterprise/student_s.bin

File hashes (SHA-256)

ArtifactSHA-256
dntds.shop JS loader (V12.1 build)730e7bff19c481cf279f2b094fff0ff1d2899753e1974c4a7433e5c14f0e1d1b
Donut/.NET loader student_s.bin (284,160 B)0edbd4b91d63f9804f90aeee408302936d87fdbda2fb8dbb6f83868861f9c613
NEW native MinGW WinHTTP downloader (50,688 B)6270f38bdf27aebb108331a484220a8bc0b9a1e6a2c4bba6dad89a2f3665bca5
Stage-2 /s_enterprise C# loader script (1,649 B)97b6418b623caf2de8fa59d69f348eb1cf5e48eb5d5f1d651813718bf474f42e
Lure page capture (MHTML)2f1026bfa373355217c0e52e123629b842903bfc4925e7d5b53142fea3977cd1

.NET loader imphash edc8ef44e1870aad7a3e58dab17f8e1b (== V12) · native downloader imphash 8e7b065c967657cca657d11206f96e23 (new)

Build telemetry (pattern of life)

BuildCompiled (UTC)CESTBeijing
V12 ejecutivos .NET loader2026-07-07 00:48:1002:4808:48
V12.1 inner PE2026-07-13 15:40:4317:4023:40
V12.1 Donut/.NET loader2026-07-16 16:57:4018:5700:57
V12.1 native downloader2026-07-16 20:13:2522:1304:13

Two builds ~3 h apart on 2026-07-16 indicate a single working session; the loader was compiled roughly five hours before observed detonation. Three of four cluster 15:40–20:13 UTC (European afternoon/evening). Caveat: PE timestamps are trivially forgeable and n=4. Treat as weak corroboration only — never as attribution.

MITRE ATT&CK

T1189 Drive-by · T1584.004 Compromise Server · T1204.004 Malicious Copy-Paste (ClickFix) · T1059.001 PowerShell · T1102 Web Service (EtherHiding) · T1140 Deobfuscate · T1027.004 Compile After Delivery · T1105 Ingress Tool Transfer · T1055 Process Injection · T1071.001 Web C2

Detection & response

YARA: as202412_v12_1_otx.yar — 6 self-contained rules (OTX-ingestable): MZER_Donut_Header (cluster fingerprint, matches at offset 0), V12_1_Native_Downloader, V12_1_Network_Indicators, EtherHiding_Contract_Read, V12_1_KnownHashes, Loader_Obfuscator_V12_1. STIX 2.1: SL-ADV-2026-WP-001-V12.1.stix.json.

Response: notify the St. Anne Stiftung and escalate to Hetzner abuse for the compromised lure; submit 158.94.211.92, digitalenterprise2026.com, dntds.shop / 178.16.53.137 to AbuseIPDB / OTX. Hunt endpoints for the ClickFix cradle, for mscoree-loaded children of powershell.exe, and for any file beginning 4D 5A 45 52. The BSC RPC endpoint and the public chain are shared-legit — detect behaviourally, do not blocklist.

SL-ADV-2026-WP-001 V12.1 · Dispensight / SecureLeaf · secureleaf.dispensight.com · TAXII 2.1 taxii.dispensight.ca · TLP:CLEAR · defensive analysis only — no payload reproduced. © 2026 Dispensight.