Two malvertising campaigns target IT staff with two backdoors, MadMxShell and WorkersDevBackdoor, using shared infrastructure that links their delivery and C2 domains. The operation leverages Google ads, a Dropbox-hosted payload flow, and DNS-based C2, with evidence of infrastructure overlap and a single actor email tying multiple domains together. #MadMxShell #WorkersDevBackdoor #getstorege #goodgoog1e
Keypoints
- Two malware payloads, MadMxShell and WorkersDevBackdoor, are distributed via malvertising campaigns aimed at IT staff.
- MadMxShell uses DLL hijacking and DNS-based C2 (via OneDrive.exe), and is distributed through IP-scanner ads.
- WorkersDevBackdoor is hosted on Dropbox with an NSIS installer that bundles an encrypted 7z payload, linked to ThunderShell/Parcel RAT in prior reporting.
- Both campaigns share infrastructure and domain registrations (e.g., goodgoog1e), suggesting overlapping actors and delivery paths.
- A PowerShell-based dropper (soft_detect.ps1) targets common IT tools to tailor installation and help evade sandbox detection.
- The campaigns demonstrate infrastructure overlap across ASNs and domains, linking distribution and C2 components.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising campaigns deliver payloads via malicious ads. “Distributed via malicious ads for IP scanners”
- [T1105] Ingress Tool Transfer – The distribution includes a one-liner that triggers an automatic download. “produces a one-liner that triggers an automatic download”
- [T1574.001] DLL Search Order Hijacking – The MadMxShell payload is delivered via DLL hijacking. “Uses DLL hijacking”
- [T1071.004] Application Layer Protocol: DNS – C2 communications use DNS with a domain pattern. “DNS for communication with its C2 server via OneDrive.exe”
- [T1027] Obfuscated/Compressed Files and Information – Payload packaged in a password-protected 7z archive and delivered via NSIS. “encrypted 7z archive containing payload”
- [T1497] Virtualization/Sandbox Evasion – PowerShell-based checks are used to avoid sandbox/VM detections. “PowerShell scripts… allow attackers to avoid unnecessary log alerts generated by malware running in sandboxes or virtual machines.”
Indicators of Compromise
- [Domain] Malvertising-related domains – advanc3d-1p-scan[.]com, angryipscat[.]org, and other related domains
- [Domain] C2/Infrastructure domains – litterbolo[.]com, getstorege[.]com, angryipo[.]org, and other related domains
- [Hash] MadMxShell – 2481ac76f08d691166a425a01cdf1ec8ab5e2fbdf451c1bfc3edcba3e4c482e5 (ZIP), 93962847285d6f81273132e72d66b03a2e6e1a0ff46893e58ad3747762548922 (DLL), and 4 more hashes
- [Hash] WorkersDevBackdoor – 55d1a76e4ed7d6ed0018c8129d631a637b591e18e52128dbe891a4382564793b, a8b0e013bd0d350035f12fd6703f7760a87cb218803e68c0eb482753961f2a41, 2264d2a23f365af0830b577360a724798a6132b1a2f4cd08a7ccfaa311ee920a
- [URL] Dropbox URLs – dropbox[.]com/scl/fi/z6tdyz5n9hon8ae5nihzt/ipscan-3[.]9[.]1-setup[.]exe, dropbox[.]com/scl/fi/q1xoadn14acxg4wqf5k7s/ipscan-3[.]9[.]1-setup[.]exe, and 3 more URLs
- [URL] Dropbox URLs – dropbox[.]com/scl/fi/eghhcp5hi7y22ok662mud/ipscan-3[.]9[.]1-setup[.]exe, dropbox[.]com/scl/fi/0om3wuhw9cqfip7gez6il/ipscan-3[.]9[.]1-setup[.]exe
- [C2] Getstorege domain – getstorege[.]com (C2 domain registering activity linked to MadMxShell)