{
	"id": "2b961aa2-577e-449d-8ff9-4d9ea98e15d6",
	"created_at": "2026-04-06T00:14:56.15557Z",
	"updated_at": "2026-04-10T03:31:25.898502Z",
	"deleted_at": null,
	"sha1_hash": "ddf054c812302bce65a6b5ba9aaa80be8276e1a7",
	"title": "Operation PhantomControl",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6659902,
	"plain_text": "Operation PhantomControl\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 16:00:58 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn July 2023, we received multiple alerts from BlueSteel, our machine-learning powered PowerShell classifier, on\r\nthe execution of malicious PowerShell commands. Our Incident Handling Team identified ScreenConnect activity,\r\nwhich created numerous malicious files under the ProgramData folder.\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 1 of 12\n\nFigure 1: Malicious files dropped under the ProgramData folder\r\nThe ScreenConnect client was downloaded from a compromised Teachflix website (the website hosts educational\r\nvideos for the classroom).\r\nFigure 2: Compromised Teachflix website delivering ScreenConnect\r\nUpon visiting one of the pages, the user would get an error pop-up instructing them to download and launch the\r\nbinary “teachflix.exe” to be able to browse through the website.\r\nThe error icon and ScreenConnect binary are located under /.well-known directory of the compromised webpage,\r\nas shown in Figure 3.\r\nFigure 3: Snipped of the code responsible for serving ScreenConnect binary\r\nThe threat actor(s) executed the 02.bat script via the ScreenConnect session. The batch script is responsible for\r\nlaunching the malicious PowerShell command.\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 2 of 12\n\nUnfortunately, we were not able to retrieve the 02.bat script. We cleaned up the command (Figure 5), and we can\r\nsee that it retrieves the file “Coinfg.SVG” from the server after the string replacements.\r\nFigure 4: Execution of the 01.bat file via ScreenConnect session\r\nFigure 5: Malicious PowerShell command\r\nThe payload was hosted on a Plesk-controlled website and was uploaded to the server on July 12th. After\r\nperforming an open source search, we were able to identify this as the WSO PHP webshell, which is available on\r\nGitHub. Our Threat Response Unit (TRU) discovered over 20 websites impacted, including the ones that were at\r\nsome point infected with the webshell and delivering ScreenConnect. The binaries were also located at /.well-known directory.\r\nBased on the naming conventions and infection patterns, we assess with high confidence that the same threat actor\r\nis behind Operation PhantomControl.\r\nFigure 6: Coinfg.SVG payload\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 3 of 12\n\nFigure 7: Example of another infected website\r\nThe SVG file is a PowerShell script that performs the following actions:\r\nProcess hollowing via the first binary named “NewPE.dll” (RegSvc.exe process) – Figure 9. The binary is\r\nobfuscated with ConfuserEx.\r\nLoading and invoking the main payload, which is AsyncRAT (an open-source remote access trojan with\r\nnumerous capabilities, including remote access, file exfiltration, and keylogging)\r\nWriting the PowerShell file “cgihvzm.ps1” into the ProgramData\\ HAZLOPTVICXEAQ folder (please note\r\nthat the directory name can be different)\r\nWriting VBS file “HAZLOPTVICXEAQ.vbs” and PowerShell file “HAZLOPTVICXEAQ.ps1” into the\r\nsame mentioned folder above\r\nCreating a scheduled task named “HAZLOPTVICXEAQ” to run the VBS file\r\nWriting the batch file “1.bat” info in the mentioned folder\r\nRunning the PowerShell file “cgihvzm.ps1”, “HAZLOPTVICXEAQ.ps1”, and the batch file “1.bat”\r\nFigure 8: Cleaned up a snippet of Coinfg.SVG script\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 4 of 12\n\nFigure 9: PE responsible for process hollowing\r\nEach file created under ProgramData does:\r\nHAZLOPTVICXEAQ.vbs – responsible for running the 1.bat file\r\n1.bat file – responsible for running “cgihvzm.ps1” file via the command:\r\nCMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI\r\n\"C:\\ProgramData\\HAZLOPTVICXEAQ\\cgihvzm.ps1\"\r\ncgihvzm.ps1 – responsible for process hollowing and invoking AsyncRAT payload under RegSvc.exe\r\nprocess\r\nTRU was able to extract the configuration of the AsyncRAT (you can find the configuration extractor here):\r\nInstallFolder: %AppData%\r\nInstallFile:\r\nDelay: 3\r\nHwid: null\r\nPorts: 7707\r\nHosts: 3llah23.run[.]place\r\nVersion: | Edit 3LOSH RAT\r\nInstall: false\r\nKey: Rlc2WlZTZktzenBUZjlxY3FuSERObFU3YTlKT1NWM2o=\r\nMTX: AsyncMutex_pp5533\r\nCertificate: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JB\r\nServerSignature: Fa5Vn2RD7yT9pbzm5Y7IKIzEEYkDjYtqyenb3bJPDoamNXehAGwA66fUHRfTxg8a3F45tVAHZ2wgBQtCSYZC\r\nAnti: false\r\nofflineKL: true\r\nclipper: null\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 5 of 12\n\nbtc: false\r\neth: July23\r\nTRU also observed two other attempts to retrieve the payload via ScreenConnect session after executing the\r\n01.bat script. One of the payloads was located at 212.11.196[.]183/~sytimes/C0nfig.jpg. However, at the time of\r\nthis reporting, the host is down.\r\nAnother payload was retrieved via the “runing.exe” binary. We were not able to retrieve the binary as it was\r\nremoved. However, through open-source analysis, we assess with medium confidence that the binary is an\r\nAutoHotKey loader that is used to retrieve the secondary payload (in our case, the payload is located at\r\nhxxp://moealalah.za[.]com/moealalah.jpg, which is no longer available). We were able to retrieve similar files\r\nfrom VirusTotal:\r\n1da8d6c16662e383b822b6bade1a22a8\r\n8f9b33e897e2b0fdd0ff93ee7d98750b\r\nThe configurations extracted from both payloads:\r\nSample: 1da8d6c16662e383b822b6bade1a22a8\r\nInstallFolder: %AppData%\r\nInstallFile:\r\nDelay: 3\r\nHwid: null\r\nPorts: 6606,7707,8808\r\nHosts: exos.mywire[.]org,esxo.ddnsfree[.]com\r\nVersion: | Edit 3LOSH RAT\r\nInstall: false\r\nKey: RlJwM3pUdnZaREZmWGdxRWZ1dWxrdEZKWW5ZQnVWbm8=\r\nMTX: AsyncMutex_x\r\nCertificate: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JB\r\nServerSignature: UhbE2oQynqRnX48lpueYKPvSxE9W0Ci2coEjy0d1o7nRpwyX3EaaUXnqAEksohjTKvYNHDgTXQfdQKDzVo79\r\nAnti: false\r\nofflineKL: true\r\nclipper: null\r\nbtc: false\r\neth: Default\r\nSample: 8f9b33e897e2b0fdd0ff93ee7d98750b\r\nInstallFolder: %AppData%\r\nInstallFile:\r\nDelay: 3\r\nHwid: null\r\nPorts: 8808,5010\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 6 of 12\n\nHosts: r0nj.ooguy[.]com\r\nVersion: | Edit 3LOSH RAT\r\nInstall: false\r\nKey: Y3hNMmN0YU9odDlldE9kenhtQ3d1RkwxZXpMNkZMWEY=\r\nMTX: AsyncMutex_6SI8OkPnk\r\nCertificate: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JB\r\nServerSignature: iWL0PXmyFu2bGJKrjiG4nztTVlih2vW2GMzh4NDA09LO69YZH7FaF9KzNc0pFtXLEOlDVDuDmRsOsmlA9BBQ\r\nAnti: false\r\nofflineKL: false\r\nclipper: null\r\nbtc: false\r\neth: GRACE\r\nThe threat actor generated the ScreenConnect client using ClickOnceRun option which then, upon user execution,\r\ndownloads the client from the attacker’s controlled ScreenConnect panel. In the case we observed, the attacker’s\r\nScreenConnect instance was engineer53.screenconnect[.]com . Upon launching the client, the attacker gained\r\nfull remote control on the victim’s machine.\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 7 of 12\n\nFigure 10: Downloading ScreenConnect client from attacker's controlled panel\r\nWhat did we do?\r\neSentire TRU investigated the threat and confirmed the activity is malicious.\r\nOur team of 24/7 SOC Cyber Analysts isolated affected hosts to contain this incident in accordance with\r\nthe customer’s business policies.\r\nWhat can you learn from this TRU Positive?\r\nAttackers used ScreenConnect, delivered via a compromised website, to achieve remote control over the\r\nmachine and push additional malware such as AsyncRAT.\r\neSentire TRU was able to identify over 20 websites that were compromised by the same threat actor.\r\nAsyncRAT payloads that belong to the threat actor are communicating on different C2 servers.\r\nRecommendations from our Threat Response Unit (TRU):\r\nTrain users to identify and report potentially malicious content using Phishing and Security Awareness\r\nTraining (PSAT) programs.\r\nEnsure employees have access to a dedicated software center to download corporate-approved software.\r\nProtect endpoints against malware by:\r\nEnsuring antivirus signatures are up-to-date.\r\nUsing a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and\r\ncontain threats.\r\nIndicators of Compromise\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 8 of 12\n\nName Indicator\r\nAsyncRAT 37950f1c490168d8c52bde11799fa40b\r\nAsyncRAT addfb71ffe786565f2e156fb5bb45f42\r\nAsyncRAT bf96552cf18eb495d06ec007cef18831\r\nAsyncRAT C2 exos.mywire[.]org\r\nAsyncRAT C2 esxo.ddnsfree[.]com\r\nAsyncRAT C2 3llah23.run[.]place\r\nAsyncRAT C2 r0nj.ooguy[.]com\r\nCoinfg.SVG fa176901cd6018b7a9516f3287fc5b75\r\nHAZLOPTVICXEAQ.vbs d8b8486e376519aa4bfe152b7137df33\r\n1.bat c6c8b7cd095bf71cb47604b0b3d7e4b6\r\nHAZLOPTVICXEAQ.ps1 aa8a3ab5b73600904dd73664d338e27b\r\ncgihvzm.ps1 5093aa07dcead8ec112fe9ff80fc6499\r\nteachflix.exe 0716fa674efaed96bfe3cd96f991ccb3\r\nAttacker’s ConnectWise instance engineer53.screenconnect[.]com\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 9 of 12\n\nPotential C2 for webshell 45.94.211[.]123\r\nReferences\r\nhttps://blog.sucuri.net/2020/03/tiny-wso-webshell-loader.html\r\nhttps://github.com/RussianPanda95/Configuration_extractors/blob/main/AsyncRAT_config_extractor.py\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 10 of 12\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 11 of 12\n\nSource: https://www.esentire.com/blog/operation-phantomcontrol\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/operation-phantomcontrol"
	],
	"report_names": [
		"operation-phantomcontrol"
	],
	"threat_actors": [
		{
			"id": "45bb30d6-8cb3-4ac1-b85f-26e9abae6058",
			"created_at": "2024-01-09T02:00:04.185637Z",
			"updated_at": "2026-04-10T02:00:03.50568Z",
			"deleted_at": null,
			"main_name": "PhantomControl",
			"aliases": [],
			"source_name": "MISPGALAXY:PhantomControl",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434496,
	"ts_updated_at": 1775791885,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ddf054c812302bce65a6b5ba9aaa80be8276e1a7.pdf",
		"text": "https://archive.orkl.eu/ddf054c812302bce65a6b5ba9aaa80be8276e1a7.txt",
		"img": "https://archive.orkl.eu/ddf054c812302bce65a6b5ba9aaa80be8276e1a7.jpg"
	}
}