{ "id": "0f975309-023d-42bc-b051-98700971f4b1", "created_at": "2026-04-06T00:12:23.636615Z", "updated_at": "2026-04-10T03:36:47.914572Z", "deleted_at": null, "sha1_hash": "5e6abefa29d1ea148da9bb75fa33ba1c6d2df7a9", "title": "Custom I2P RAT “I2Parcae” Delivered via Pornographic Customer Support Form Spam", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 200043, "plain_text": "Custom I2P RAT “I2Parcae” Delivered via Pornographic\r\nCustomer Support Form Spam\r\nArchived: 2026-04-05 19:43:16 UTC\r\nAuthor: Kahng An\r\nA customer support contact web form spamming campaign delivering a newly distributed Remote Access Trojan\r\n(RAT) was seen a few days ago. Cofense Intelligence is tracking this new malware family as “I2Parcae”. This\r\nRAT is notable for having several unique tactics, techniques, and procedures (TTPs), such as Secure Email\r\nGateway (SEG) evasion by proxying emails through legitimate infrastructure, fake CAPTCHAs, abusing\r\nhardcoded Windows functionality to hide dropped files, and C2 capabilities over Invisible Internet Project (I2P), a\r\npeer-to-peer anonymous network with end-to-end encryption. When infected, I2Parcae is capable of disabling\r\nWindows Defender, enumerating Windows Security Accounts Manager (SAM) for accounts/groups, stealing\r\nbrowser cookies, and remote access to infected hosts. As of this report, I2Parcae appears to be delivered via\r\nautomated spam messages targeting customer support contact forms on multiple websites. The messages deliver\r\nan embedded link purporting to be pornography.\r\nI2P Overview\r\nThis malware sample is notable for many different reasons, but one of them is using I2P for C2 traffic. I2P, like\r\nTor, is an overlay network that provides anonymous connections. However, Tor is far more popular than I2P. On a\r\ntechnical level, I2P is different from Tor because I2P uses peer-to-peer connections between computers running\r\nthe I2P software. In contrast, Tor relies on dedicated routing nodes that are different from Tor users. This makes it\r\nsuch that every I2P user is contributing their computer as a node on the network, and simply running the I2P\r\nsoftware will generate lots of inbound and outbound I2P traffic from other peers connecting to the hosted node.\r\nAdditionally, all I2P traffic is end-to-end encrypted by the protocol. Both of these properties make network traffic\r\nanalysis particularly difficult.\r\nI2P provides hidden service website functionality similar to Tor, and these websites (called “eepsites”) can be\r\nidentified with the .i2p top-level domain. While eepsites can have human-readable domain names, the most basic\r\nand likely most common form of domain name uses a Base32 encoding of the eepsite’s public key hash. For\r\nexample, “2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq[.]b32[.]i2p” was an eepsite used by this\r\nmalware sample.\r\nCampaign Characteristics\r\nThe campaign targets various customer support contact forms to deliver an email containing the message\r\nsubmitted in the form. This tactic effectively allows the threat actor to send their message with malicious content\r\nusing legitimate web or email server infrastructure owned by the potential victim. This tactic will also bypass\r\nmany SEGs because the email originates from legitimate infrastructure. From the samples analyzed by Cofense\r\nIntelligence, this tactic allowed these messages to bypass Cisco IronPort and Proofpoint.\r\nhttps://cofense.com/blog/custom-i2p-rat-i2parcae%E2%80%9D-delivered-via-pornographic-customer-support-form-spam\r\nPage 1 of 4\n\nFigure 1 shows an example of one of the emails. The exact structure of the email will vary depending on the\r\ncontact form system used, but it will generally include a short message and a link to a site purporting to have\r\npornographic material.\r\nFigure 1: The initial email was sent via a customer support contact form.\r\nUpon clicking on the link, victims are brought to a page purporting to contain a link to the pornography, as shown\r\nin Figure 2.\r\nFigure 2: Landing page of the embedded link from the email.\r\nThe embedded link on this site is notable because it links to porn-zoo[.]sbs instead of displayed URL. The real\r\nembedded link will redirect victims to a fake CAPCHTA page that asks the victim to run a script that has been\r\nhttps://cofense.com/blog/custom-i2p-rat-i2parcae%E2%80%9D-delivered-via-pornographic-customer-support-form-spam\r\nPage 2 of 4\n\ncopied to their clipboard, which can be seen in Figure 3. This redirect seems to only work on Chromium-based\r\nbrowsers, and users with other browsers will be redirected to a pornographic site.\r\nFigure 3: A fake CAPTCHA site that automatically copies a malicious script into the victim’s clipboard for the\r\nvictim to run.\r\nI2Parcae is downloaded and executed on the victim’s machine upon running the malicious script. After the\r\nmalware is installed, the script will open a browser window to a pornographic site, misleading victims into\r\nthinking the script was a legitimate CAPTCHA to access the site.\r\nMalware Capabilities\r\nI2Parcae is particularly stealthy with its capabilities. After the malicious script is run by the victim, I2Parcae will\r\ndisable Windows Defender, create a Windows Defender exclusion for “%HOMEDRIVE%\\Users\\”, and create a\r\nfolder named “Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}” in C:\\Users\\Public\\. This is notable\r\nbecause “{20d04fe0-3aea-1069-a2d8-08002b30309d}” is a hardcoded link to the “My PC” page in the built-in\r\nWindows File Explorer. Attempting to navigate to a folder named that using Windows File Explorer will simply\r\nhttps://cofense.com/blog/custom-i2p-rat-i2parcae%E2%80%9D-delivered-via-pornographic-customer-support-form-spam\r\nPage 3 of 4\n\ndirect the user to the “My PC” page. However, I2Parcae uses this folder to drop various malicious DLLs,\r\nconfiguration files, scheduled tasks, and an I2P installation package.\r\nI2Parcae creates two scheduled tasks, coomgr and sesctl, that run correspondingly named executables at system\r\nstart. The exact capabilities and purpose of these two executables are unknown, but the debug logs suggest that\r\ncoomgr.exe is used for accessing web browser data and sesctl.exe is used for accessing system information.\r\nI2Parcae’s main payload is simply named main.exe and appears to use various DLL modules, all of which\r\ngenerate robust and in-depth logs. The most notable module, and the one that provides the most logging, is\r\ncnccli.dll, which appears to be the C2 module. Its corresponding configuration file appears to contain two C2\r\naddresses: an I2P address and a regular IPv4 address and port. Other modules appear to include capabilities to\r\nenumerate Microsoft SAM accounts and groups (samctl.dll), enumerate installed programs (prgmgr.log), and\r\nmake connections to other hosts via Windows Remote Desktop Services (rdpctl.log). The main payload listens on\r\nlocalhost over port 41673, which is used by the various modules for communication.\r\nSource: https://cofense.com/blog/custom-i2p-rat-i2parcae%E2%80%9D-delivered-via-pornographic-customer-support-form-spam\r\nhttps://cofense.com/blog/custom-i2p-rat-i2parcae%E2%80%9D-delivered-via-pornographic-customer-support-form-spam\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cofense.com/blog/custom-i2p-rat-i2parcae%E2%80%9D-delivered-via-pornographic-customer-support-form-spam" ], "report_names": [ "custom-i2p-rat-i2parcae%E2%80%9D-delivered-via-pornographic-customer-support-form-spam" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434343, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e6abefa29d1ea148da9bb75fa33ba1c6d2df7a9.pdf", "text": "https://archive.orkl.eu/5e6abefa29d1ea148da9bb75fa33ba1c6d2df7a9.txt", "img": "https://archive.orkl.eu/5e6abefa29d1ea148da9bb75fa33ba1c6d2df7a9.jpg" } }