Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
By Threat Intelligence Unit
Overview
Oasis Security identified attacker-controlled infrastructure hosted on Microsoft Azure infrastructure in the Malaysia West region, used to conduct a targeted intrusion campaign against multiple Malaysian organizations.
The operation demonstrates a high degree of operational planning, with the attacker developing purpose-built Python tooling for each target — covering internal network enumeration, database access, and external data exfiltration.
Key characteristics of this campaign include:
- Custom Python exfiltration framework: Target-specific scripts developed for database access, enumeration, and data staging across multiple government domains
- Chained Laravel RCE exploitation: Five chained vulnerabilities leveraged to achieve remote code execution against a Malaysian mobile network operator's customer identity verification platform
- Previously undisclosed C2 tooling: Source code for an unpublished C# beacon and a Python-based C2 controller collected from attacker infrastructure
Adversary Infrastructure
- IP:
20.17.161.118 - Hosting Provider: Microsoft Azure (AS8075)
- Region: Malaysia West (Kuala Lumpur)
The infrastructure is hosted on a Microsoft Azure virtual machine in the Malaysia West region, which became generally available in May 2025.
A substantial collection of attacker-controlled files was identified on this infrastructure, including target-specific Python scripts, webshell deployment tools, a Laravel RCE exploit chain, and source code for custom C2 components.
Attack Operations
Enumeration and Attack Operations
Analysis of the identified tooling indicates a structured, modular approach, with distinct tools prepared for different stages of enumeration, access, and extraction, as well as for specific functions within the target environment.
Target: Internal network — e[REDACTED].gov.my
e[REDACTED].gov.my is a Malaysian government domain supporting administrative functions, with attacker access confirmed to its internal network.
analyze_[REDACTED].py— uses an administrator-authenticated localhost WinRM session and embedded MSSQL credentials to execute PowerShell-based SQL queries against an internal database server on the target's private network, supporting validation of database access and direct query execution within the target environment.
Figure 1. analyze_[REDACTED].py — embedded MSSQL credentials and direct database access against an internal server
asset_owner_check.py— uses an administrator-authenticated localhost WinRM session to inspect, validate, and prepare asset ownership datasets stored within the target environment, including file integrity checks, size verification, and compressed archive generation for subsequent collection activities.
Figure 2. asset_owner_check.py — asset ownership dataset inspection and compressed archive preparation via WinRM
check_cophoto.py— uses an administrator-authenticated localhost WinRM session and embedded MSSQL credentials to query and inspect photo-related records within the target database, including validation of column types.
Figure 3. check_cophoto.py — MSSQL-based photo record enumeration and column type validation
A suite of purpose-built Python scripts was identified, as shown in the following image.
Figure 4. Modular attack tool list (1) — internal network
Target domain: h[REDACTED].e[REDACTED].gov.my
h[REDACTED].e[REDACTED].gov.my is a Malaysian government portal hosted under the e[REDACTED].gov.my domain.
A separate suite of purpose-built scripts targeting this domain directly was also identified, as shown in the following image.
Figure 5. Modular attack tool list (2) — domain
One of the scripts, h[REDACTED]_alt_creds.py, interacts with an exposed rpc.asp endpoint to execute remote Windows commands via WScript.Shell object creation, using HTTP POST requests to submit encoded command execution payloads.
Figure 6. h[REDACTED]_alt_creds.py — remote command execution via exposed rpc.asp endpoint
h[REDACTED]_targeted.txt, containing 126 target passwords, was used as input for operations against this target domain.
Figure 7. h[REDACTED]_targeted.txt — 126 target passwords used in attack operations
In addition to the scripts above, two components handled remote execution and data transfer:
Remote Command Execution via RPC
deploy.py contains an RPC_URL pointing to an external HTTPS endpoint, enabling the attacker to execute commands on compromised systems through RPC calls from outside the target network. This provides a low-visibility channel for issuing instructions without direct interactive access.
Figure 8. deploy.py — external RPC endpoint configuration enabling remote command execution
External Data Exfiltration to Cloudflare Storage
gen_photo_upload.py implements upload logic targeting an external Cloudflare-hosted storage endpoint. This script was used to transfer exfiltrated files out of the compromised environment to attacker-controlled external storage.
Figure 9. gen_photo_upload.py — exfiltrated file transfer to attacker-controlled Cloudflare storage
Credential Dump and Data Exfiltration
Target domain: j[REDACTED].gov.my
j[REDACTED].gov.my is the official portal of a Malaysian government administrative entity.
Exfiltrated artifacts identified from the attacker's infrastructure indicate extensive compromise of this target:
j[REDACTED]_dc_SAM,j[REDACTED]_dc_SECURITY,j[REDACTED]_dc_SYSTEM— Windows registry hive files exfiltrated from the domain controller. Combined possession of these registry hive files enables offline extraction of local account password hashes and LSA Secrets using tools such as impacket-secretsdump or Mimikatz.
Figure 10. Exfiltrated domain controller registry hive files (SAM, SECURITY, SYSTEM) identified from attacker infrastructure
j[REDACTED]_dc_dump.ntds— output file from an NTDS dump, confirming that Active Directory credential hashes were extracted from the domain controller.
Figure 11. j[REDACTED]_dc_dump.ntds — NTDS dump output confirming extraction of Active Directory credential hashes
The presence of the NTDS dump output confirms that credential extraction was executed, not merely staged. Domain-level password hashes recovered through NTDS access provide the attacker with persistent access potential and lateral movement capability across the affected environment.
Webshell Deployment
Target domain: r[REDACTED].gov.my
r[REDACTED].gov.my (IP: 103.156.***.***) is a Malaysian government-associated portal.
shell21.py contains code to upload a PHP webshell (health.php) to this target. At the time of analysis, the webshell was confirmed to be active on the target server, providing the attacker with persistent remote command execution capability.
Figure 12. shell21.py — PHP webshell (health.php) upload code confirmed active on the target server
The directory containing shell21.py also included multiple related webshell variants, auxiliary deployment scripts, and associated execution log files, suggesting iterative development and operational reuse of the tooling set.
Figure 13. Attacker directory containing webshell variants, auxiliary deployment scripts, and execution logs
Exploitation Techniques
Laravel RCE Exploit Chain
laravel_rce.php targets e[REDACTED].[REDACTED].com.my, operated by a Malaysian Mobile Virtual Network Operator (MVNO) as a dedicated customer identity verification platform.
Figure 14. laravel_rce.php — five-chain Laravel deserialization RCE exploit
The PHP script iterates through five Laravel RCE gadget chains in sequence. It uses PHPGGC to generate serialized payloads and encrypts them with AES-256-CBC using a Laravel APP_KEY. The resulting payloads are consistent with Laravel-compatible encrypted deserialization payloads capable of invoking system commands.
Custom C2 Tooling
A notable finding from this investigation is the identification of previously undisclosed source code for both a beacon generator and a C2 controller from attacker-controlled infrastructure.
beacon.cs — C# Beacon Generator (Undisclosed)
beacon.cs is the source code for a C#-based malware beacon. This is not a publicly known or commercially available implant; the source code represents a private, unpublished version of the beacon generation component.
Figure 15. beacon.cs — undisclosed C# beacon source code identified from attacker infrastructure
Figure 16. beacon.cs — beacon configuration and communication logic from the undisclosed C# source
listener_http.py — Python C2 Controller (Undisclosed)
listener_http.py implements an HTTP-based C2 controller written in Python. Like the beacon, this controller has not been publicly disclosed. It is designed to receive and manage communications from beacons deployed on compromised hosts.
Figure 17. listener_http.py — undisclosed Python-based HTTP C2 controller source code
The pairing of a custom beacon generator with a dedicated listener controller suggests the attacker operates a self-maintained C2 framework, independent of publicly available tooling.
Assessment
This campaign reflects a structured, multi-target intrusion operation with the following characteristics:
- Purpose-built tooling per target: The development of discrete Python scripts for each target and each operational function — enumeration, access, exfiltration — reflects significant pre-operation preparation and operational discipline.
- Confirmed data exfiltration: NTDS dump output identified from attacker infrastructure confirms that credential extraction was completed, with domain-wide password hashes likely in attacker possession.
- Active persistence: A live webshell on
r[REDACTED].gov.myindicates that access to at least one target remains active. - Private C2 framework: Possession of unpublished beacon and controller source code places this actor beyond the profile of commodity threat actors relying on publicly available tools.
The identified activity demonstrates a structured and modular intrusion workflow involving credential extraction, custom tooling, and private C2 infrastructure across multiple Malaysian government-related environments.
Conclusion
This investigation reveals a targeted intrusion operation against multiple Malaysian government organizations, characterized by purpose-built Python tooling per target, domain-level credential extraction, active webshell deployment, and a chained Laravel RCE exploit.
The presence of previously undisclosed C# beacon and Python C2 controller source code further distinguishes this actor, reflecting a self-maintained offensive framework beyond commodity tooling.
Organizations affected by this type of intrusion activity should prioritize immediate webshell removal, full domain-level password resets, and comprehensive artifact review to limit the attacker's continued access potential.