SecureLeaf Threat Advisory · Dispensight CTI

Omegatech ClickFix → EtherHiding → DonutLoader — Version 11 (lure: splitcam.com)

BSC-testnet EtherHiding · in-memory C# compile · Donut shellcode → svchost.exe

Severity: Critical Advisory: SL-ADV-2026-WP-001 (V11) Family: DonutLoader tria.ge score: 10/10 Published: 2026-06-27 TLP: CLEAR

1. Executive summary

SecureLeaf has tracked the Omegatech ClickFix/EtherHiding cluster from V1 through V11. V11 uses the compromised legitimate site splitcam.com as its lure and delivers the same DonutLoader end-stage seen in V7–V10. Two material changes this version: the blockchain-hosted stage moved from BSC mainnet to BSC testnet, and the second-stage path was renamed to /my_enterprise/. Backend delivery infrastructure remains constant on 158.94.208.0/24, which keeps V11 firmly attached to the prior cluster.

Confirmation is drawn from two tria.ge detonations (win11 + win10) and a behavioral PCAP. The win10 run additionally exposes the persistence arm (Task Scheduler COM) that the win11 run did not reach.

2. TTP evolution vs V7–V10

Dimension	V7–V10	V11 (this advisory)
Lure vector	compromised WordPress hosts	compromised splitcam.com (CF-fronted)
EtherHiding chain	BSC mainnet	BSC testnet (publicnode + prebsc seed:8545)
Stage-2 path	(prior paths)	/my_enterprise/
Delivery infra	158.94.208.0/24	158.94.208.0/24 (unchanged)
End-stage	DonutLoader → svchost	DonutLoader → svchost (unchanged)

3. Kill chain

Victim browser loads splitcam.com (compromised; Cloudflare-fronted 172.67.148.86 / 104.21.39.190), which serves an obfuscator.io + RC4 loader.
Loader issues a BSC testnet eth_call via bsc-testnet-rpc.publicnode.com and data-seed-prebsc-1-s1.binance.org:8545 to read the hidden contract (EtherHiding).
ClickFix UI tricks the user into pasting a PowerShell one-liner that fetches the cradle: GET http://158.94.208.92/?sid=<epoch-ms>-<rand>.
Cradle sets stage-2 base http://158.94.208.104/my_enterprise → 301 → /my_enterprise/ (cleartext nginx).
Stage-2 pulls /enterprise/my_s.bin (shellcode) and /enterprise/my_downloader.bin (downloader), plus a hex-named …_zip_… blob.
PowerShell compiles C# in memory: csc.exe → cvtres.exe → mc5z3xll.dll.
Donut shellcode is reflectively loaded and injected via WriteProcessMemory into svchost.exe (win11). On win10, Task Scheduler COM establishes persistence.

Telemetry note. The sid token is <epoch-ms click time>-<rand> — observed value 1782587888594-4xwumw3z decodes to the detonation click time, confirming per-victim tracking fires end-to-end.

4. Indicators of Compromise

REPORTABLE high-confidence malicious · DO-NOT-BLOCKLIST compromised/abused-legitimate · FINGERPRINT cluster signal

4.1 Network infrastructure

Indicator	Value	Role	Class
Cradle / beacon IP	158.94.208.92 (80,443)	ClickFix stage-2 retrieval; = digitalenterprise2026.com	REPORTABLE
Stage-2 host	158.94.208.104 (80)	cleartext nginx payload host (/my_enterprise/)	REPORTABLE
TDS	178.16.53.137 (NL)	dntds.shop DonutLoader TDS	REPORTABLE
TDS-adjacent	178.16.53.43 (80)	same /24, cleartext contact	REPORTABLE
Aux C2	91.92.243.161:3038	odd-port callback	REPORTABLE
Domain	dntds.shop	TDS	REPORTABLE
Domain	digitalenterprise2026.com	beacon/cradle (158.94.208.92)	REPORTABLE
Lure host	splitcam.com	compromised victim (CF-fronted)	DO-NOT-BLOCKLIST
BSC testnet RPC	bsc-testnet-rpc.publicnode.com	abused legitimate (EtherHiding)	DO-NOT-BLOCKLIST
BSC testnet seed	data-seed-prebsc-1-s1.binance.org:8545	abused legitimate (EtherHiding)	DO-NOT-BLOCKLIST

4.2 URLs / paths

URL	Stage
http://158.94.208.92/?sid=<epochms>-<rand>	ClickFix cradle
http://158.94.208.104/my_enterprise/	stage-2 landing (301 from /my_enterprise)
http://158.94.208.104/enterprise/my_s.bin	Donut shellcode
http://158.94.208.104/enterprise/my_downloader.bin	downloader

4.3 Host artifacts (hashes)

File	SHA-256
mc5z3xll.dll	85aceb0cf14b0c6dc327df2939d2922e71b3169dca5078708249d534c0a409e1
mc5z3xll.0.cs	f08c2ad3bf501e5dc9aa4f271d1f81aa286af3cdc63358fbddf1592c43cb74a1
mc5z3xll.cmdline	c7b3b1f009b26e0c03101f3ac7a52d27b83c48ad3ca3ea4de33da68cb8c81729

4.4 Behavioral fingerprint

FINGERPRINT Custom stage-2 fetch User-Agent: sesame-open-yourself — non-standard, links V11 retrieval traffic to prior cluster activity. Pivot on this across historical captures.

Prefix correlation. 158.94.208.92 and 158.94.208.104 both sit in 158.94.208.0/24. Run against the AS202412 (Omegatech LTD) prefix-match rule — a hit is another structural-twin confirmation and elevates attribution confidence.

Reconciliation. The empty-string SHA-256 e3b0c44…b855 appears legitimately as the zero-length crashpad pipe and must not be conflated with the decoy challengeHash in the loader's ClickFix insert.

5. MITRE ATT&CK

Tactic	Technique	Observed
Initial Access	T1189	Drive-by via compromised splitcam.com
Command & Control	T1659	Content injection / EtherHiding (BSC testnet)
Execution	T1204.004	ClickFix copy-paste user execution
Execution	T1059.001	PowerShell cradle
Defense Evasion	T1027.004	Compile-after-delivery (csc.exe/cvtres.exe)
Defense Evasion	T1140	obfuscator.io + RC4 loader decode
Defense Evasion / Execution	T1620	Reflective code loading (Donut)
Privilege Esc. / Def. Evasion	T1055	WriteProcessMemory → svchost.exe
Persistence	T1053.005	Task Scheduler COM (win10)
Discovery	T1217 / T1012 / T1082 / T1124	browser / registry / system info / time

6. Detection & response

Hunt

· powershell.exe spawning csc.exe/cvtres.exe then writing to svchost.exe.
· Outbound :8545 JSON-RPC eth_call from a browser child process.
· HTTP requests with UA sesame-open-yourself.
· Any contact to 158.94.208.0/24 or /my_enterprise/.

Respond

· Block reportable IPs/domains (§4.1); spare CF/Binance/legit infra.
· Remove Task Scheduler COM persistence (win10 arm).
· Submit reportable hosts to AbuseIPDB/OTX under handle Dispensight.
· Notify splitcam.com operators (compromised victim).

7. References

· tria.ge behavioral (win11): 260627-xsnlysdt3q
· tria.ge behavioral (win10): 260627-xzmcgacz4x
· STIX 2.1 bundle: SL-ADV-2026-WP-001_V11.stix.json (TAXII: taxii.dispensight.ca)
· Prior cluster: SL-ADV-2026-WP-001 V1–V10