Dio9sysFeb 24

It's been extremely hard to keep this one under wraps.

I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.

https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/

I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.

What’s That String? That Time a Weird String Revealed a Whole Operation – GreyNoise Labs

One weird payload turned out to be a loose thread on an active hacking operation.

GreyNoise Labs
Show threadEpic NullFeb 24

@Dio9sys Not finished reading but

The c2c subdomain is an nginx server on ubuntu on a server in japan, per URLScan. I was curious what the top level domain looked like, so I tried www as well. Turns out their www is in a tencent datacenter in singapore. Neat!

Tencent is that company that buys games from indie developers

That seems forboding...

Show threadDio9sys
@Epic_Null
Tencent is a megabrand tho. They are basically the chinese AWS if AWS also had a movies division, blogging platform, and game studio
Feb 24 at 10:54pmWeb
Show threadEpic NullFeb 24
@Dio9sys Okay so this is more "Someone buying file storage and runtime to run this operation" than "tencent is running cryptominers"
Show threadDio9sysFeb 25
@Epic_Null
yup!
Show threadCarlos SolísFeb 25
So, Amazon (minus the blog platform)