Silas CutlerOct 7, 2025

Interesting #OpenDir on #QuasarRat C2 server 185.208.159[.]161:8000 . The open web directory includes source code for a backdoor + misc development artifacts.

https://platform.censys.io/hosts/185.208.159.161
https://search.censys.io/hosts/185.208.159.161

#malware #thread 🧵

Show threadSilas CutlerOct 7, 2025
app.py (SHA256: 707cd46cd390072ba79f2655c562a205cba586f3634ef52e8c034c8a6a607a8c)
looks to be the C2 server and agent.go (SHA256: 8342dd353a95bd8f8884eef0cd1ba5b4e81751f669babf8c91b068e10ea64d99) as the client.
Show threadSilas CutlerOct 7, 2025

Case statements in agent.go show a bit of the functionality :
- start_shell
- cd / list_files / delete
- upload / download
- clipboard_on / keylog_on
- shutdown / restart

mouse_move and mouse_click are interesting to see. Less common to see at this level of functionality implementation.

Show threadSilas CutlerOct 7, 2025
stealer.go (SHA256: bf9bbcc1692140d5aeaabb839a96e90d4c6df9b75e01ef79585ee07324b984ab) is a stand alone tool, for extracting logins. Looks to be custom, debug messages unique.
Show threadSilas Cutler
Back in the rest of the #opendir, uploads/ is used by http://app.py, I don't see where downloads_cache is used, but similar agent-[0-9]+ structure. The SANS PDF "All-books-in-oneSANSSEC670RedTeamingTools-DevelopingCustomToolsforWindows.pdf" may be the inspiration behind http://app.py/agent.go
Oct 7, 2025 at 1:23pmWeb
Show threadSilas CutlerOct 7, 2025
Not seeing any good connections beyond. While the `banner_hash_sha256` on @censys shows 4 other hosts, normally a good sign when looking for unique malware, the underlying conditions (content length / server header) are weak in this case.