Operation Repo Ruse

BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) researchers identified an active campaign by the prolific threat actor Rift Brigantine (a.k.a. TA505, FIN11, and Graceful Spider). In this iteration, the actor is leveraging fraudulent GitHub repositories to distribute malicious batch script installers masquerading as legitimate IT and security software, including Microsoft Remote Desktop Connection Manager (RDCMan) and Palo Alto Networks GlobalProtect. These scripts deploy the modular TookPS Downloader, which orchestrates a sophisticated, multi-stage infection chain designed to establish persistent remote access. It accomplishes this through obfuscated PowerShell scripts, SSH reverse tunnels, and sideloaded remote access trojans (RATs). This activity is not a novel intrusion but the TFC’s comprehensive research uncovered it as part of the latest evolution of a long-running, adaptable operation with documented ties to historical Rift Brigantine campaigns. 

What Happened?

The attack began when an admin user searched GitHub for installers regarding RDCMan and Palo Alto’s GlobalProtect software. The attacker had set up multiple repositories masquerading as legitimate sources containing installers for the supposed applications. 

The ZIP archive found in the latest release section of GitHub contained a batch file masquerading as the application installer, accompanied by numerous extension-less junk files added solely to inflate the archive size and create the illusion of legitimacy. 

Upon execution, the batch script contains instructions, informing the user that the script needs to be run with admin privileges. While analyzing the file contents, BlueVoyant researchers observed it was constructed with multiple layers of string-splitting and environmental variable manipulation to hide its true purpose. 

The script then generates URL (in this case, hxxps://glucogenics[.]com/static_image/), which is used to store the victim computer name and username using curl after the batch script queries the computer name and username using environment variables %COMPUTERNAME% and %USERNAME%. 

It then retrieves an encoded payload from another remote path, txtfiles/?enc hosted on the same Command & Control (C2) domain and executes the PowerShell script launched with execution-policy bypass. 

Pivoting revealed earlier versions of this malicious script contacted ankaraotogaleri[.]com, while newer variants shifted to glucogenics[.]com. The threat group behind these attacks appears to update its script on a weekly basis, ensuring new domains are used to evade detection. 

Ultimately, the batch file serves as a lightweight but highly obfuscated loader, previously identified as the TookPS Downloader. It is designed to fetch and execute attacker-controlled code from a remote server under the guise of a legitimate software installer. 

The remote path txtfiles/?enc contains a PowerShell script designed to generate a unique identifier for the infected machine and then quietly contacts a remote server using that identifier.   

The script begins by looking for a file named hwid.dat, first inside the C:\ProgramData folder and, if it’s not found there, it looks inside the user’s AppData folder. This file is used to store the system’s Hardware ID (HWID). If the file is missing altogether or doesn’t contain a proper 32-character value, the script builds a new identifier by combining the computer’s name with its hardware UUID, information retrieved directly from Windows’ system information. It saves this combined value to the hwid.dat file, calculates its MD5 hash, and replaces the file’s contents with this new hashed identifier. This ensures the malware has a consistent, fingerprint-like identifier that uniquely represents that specific victim machine. 

Once the HWID is confirmed or newly generated, the script contacts the attacker-controlled server at glucogenics[.]com, sending an HTTP request that includes the victim’s unique ID as a parameter. The server’s response is executed immediately in memory using PowerShell’s Invoke-Expression (IEX). This allows the attacker to run arbitrary commands on the victim system without writing any additional files to disk, a technique commonly used to evade antivirus detection.

After establishing this connection, BlueVoyant observed how the remote server delivered six separate PowerShell scripts, each designed to run in sequence. Every script includes its own built-in sleep delay, ensuring that one script fully completes before the next begins. 

PowerShell Scripts One and Two

Five of the six scripts are constructed similarly, containing a function used to deobfuscate Base64-encoded strings through mathematical operations. 

This first two PowerShell scripts are designed to gather information regarding the impacted host including the following: 

• Obtain hostname and username, storing in variables CN and UN
• Obtain public IP of compromised host using hxxps://ifconfig[.]me/ip
• Determine the current user session and how the user session was established (i.e. RDP, Console, Network, Service, etc.)
  • Query processes looking for the below strings and capture process name and process ID (PID)
    • QTConnect
    • Msedgeview
    • ssh
    • sshd
    • cloudflared
    • ksync
    • HDVideo
    • lapmon
    • ctfmon
  • Identify specific folders and files, and recursively identify each file in the folder and obtain their MD5 hash + file name
    • C:\ProgramData\hwid.dat
    • C:\ProgramData\oko
    • C:\ProgramData\oko_ver
    • AppData\QTUpdate
  • Query GPU and processor using WMI and CIM
• Once this information is obtained, the script formats the data into JSON and ships it to a remote server hosted at domain ptk2[.]xyz.

PowerShell Script Three

The third PowerShell script attempts to execute content from a remote server, supplying the value contained within the hwid.dat to the C2 URL using the following format hxxps://ptk2[.]xyz/online/took.php?HWID=<HWID>. The server will then respond with a new script for PowerShell to execute that does not appear to be the same threat each time, rather it is randomized or cycled between different approaches. The goal, however, remains to download additional payloads with the goal of gaining remote access to the compromised machine, like Kaspersky researchers described TookPS.

As stated, PowerShell script three in the series is meant to deliver payloads and each of the first three scripts always execute. However, even though PowerShell script four, five and six are delivered altogether with the first three, these scripts appear to be conditional or redundant payloads. The latter three scripts are also present among the variety of payloads pushed by script three. Thereby, take note that the fourth, fifth and sixth scripts are delivered among the initial six, but also may be delivered as part of the variety of payloads executed by script three too.

PowerShell Script Four

The fourth PowerShell script payload is designed to download a suspicious zip archive named volume2.zip from URL hxxps://2tnl[.]digital/online/tunupd.php?f=volume2&HWID=<HWID>, placing it within LOCALAPPDATA\Temp. After confirming the download succeeded, the script proceeds to extract the contents, obtaining the MD5 hash of each file contained within the directory.

After the contents are extracted, the PowerShell script proceeds to execute an executable named Volume2.exe. While analysis of Volume2.exe is still ongoing, BlueVoyant researchers determined this binary sideloads another DLL, protobuf.dll, which behaves as a backdoor. The file protobuf.dll contained Base64 encoded data which was later decrypted using AES GCM mode. The decrypted data was a headless PE file which ultimately contacted the C2 domain livewallpapers[.]online.

PowerShell Scripts Five and Six 

The final two PowerShell scripts are responsible for downloading and executing a supposed TeamViewer program, renamed as QTConnect. 

The fifth PowerShell script begins by creating a folder, QTConnect, within the APPDATA\Roaming folder if it doesn’t exist already. The script then changes into this folder and proceeds to create a hashing table, mapping the following file names with their respective MD5 hashes: 

• TeamViewer_Resource_en.dll
• TeamViewer_StaticRes.dll
• TeamViewer.ini
• TeamViewer_Desktop.exe
• TeamViewer.exe (renamed as QTConnect.exe)
• msi.dll (this file does not have an associated MD5 hash, which is discussed later) 

Once the files are hashed, the script checks whether the file exists. If it does, it computes the MD5 and compares it to the stored value. If the hash matches, the file is left alone; if it doesn’t match, the file is deleted and marked for re-download. For files that are missing or flagged as bad, the script constructs a per-file download URL by appending the filename to the tunupd.php?f=<filename> path within URL hxxps://ptk2[.]xyz/online/took.php?f= and uses Invoke-WebRequest to pull a fresh copy from the remote server. 

As for the msi.dll, the script first writes a large random ASCII blob into a temporary image.png file in the same folder (likely to pad or mask the payload), then streams the downloaded content over that file, reads a FileMD5 HTTP header from the server as the “official” hash, deletes any old msi.dll, renames the image.png file to msi.dll, and remembers the new MD5 value so it can be used as the trusted hash on subsequent runs. 

After downloading the required files, the script proceeds to run netstat -ano | Select-String 443, parses the output, and for any connection on port 443 whose owning process name matches QTConnect, it prints a small info object (process name, PID, local/remote address) and then force-kills that process. This ensures there is no current running process of QTConnect.exe.

Finally, the sixth PowerShell script executes the binary QTConnect.exe, which is the TeamViewer primary binary. The purpose of this execution is to sideload the dynamic link library (DLL) msi.dll, which is  MineBridge RAT (a.k.a. TeviRAT in Kaspersky’s report).

Initial analysis indicates the MineBridge RAT (msi.dll) was compiled with an obfuscation tool that uses a technique called control flow flattening. This method restructures the program’s execution flow into a more complex and less readable form, making reverse engineering significantly more difficult. 

The malware first collects system details from the affected host using Windows API calls such as GetComputerNameW (computer name), GetUserNameW (logged-in user), and GetProductInfo (Windows edition). This information is structured in JSON format. It then reads the HWID.dat file to retrieve the hardware identifier, which is added to the JSON data. Next, the combined data is Base64-encoded. After encoding, MineBridge RAT decrypts an embedded RC4 key using XOR, then uses that key to RC4-encrypt the Base64 data. Finally, the encrypted data is transmitted to a hardcoded C2 server. 

If communication with the C2 server succeeds and the C2 determines that the HWID is unique, it responds with an RC4 encrypted payload. Once decrypted, BlueVoyant researchers determined it was another PowerShell script, designed to inject a DLL into the already running process and execute another PowerShell script designed to install SSH onto the system.

Example of Other Payloads

Among the variety of payloads delivered by script three, BlueVoyant analyzed one PowerShell script that led to a Node.js backdoor. First, the script determines if the Windows installation is 32-bit or 64-bit, then downloads the portable Node.js application from the official website and unpacks the content within the user’s newly created directory, APPDATA\TEMP\nodejs-portable.

After extracting the contents within the Node.js zip archive, the script proceeds to download a JS file named mcl.js from URL hxxps://2tnl[.]digital/online/tunupd.php?f=mcll&HWID=<insert HWID>, storing within the APPDATA\TEMP directory. Once the JS file is downloaded, the script then proceeds to execute node.exe, supplying the path for mcl.js as the argument. BlueVoyant researchers determined mcl.js functions as a covert backdoor client that connects a compromised system to a remote C2 server over an encrypted channel.