Logo
/
Blog/Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
May 15, 202611 min readintelligence
Share:

Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations

By Threat Intelligence Unit

Overview

Oasis Security identified attacker-controlled infrastructure hosted on Microsoft Azure infrastructure in the Malaysia West region, used to conduct a targeted intrusion campaign against multiple Malaysian organizations.

The operation demonstrates a high degree of operational planning, with the attacker developing purpose-built Python tooling for each target — covering internal network enumeration, database access, and external data exfiltration.

Key characteristics of this campaign include:

  • Custom Python exfiltration framework: Target-specific scripts developed for database access, enumeration, and data staging across multiple government domains
  • Chained Laravel RCE exploitation: Five chained vulnerabilities leveraged to achieve remote code execution against a Malaysian mobile network operator's customer identity verification platform
  • Previously undisclosed C2 tooling: Source code for an unpublished C# beacon and a Python-based C2 controller collected from attacker infrastructure


Adversary Infrastructure

  • IP: 20.17.161.118
  • Hosting Provider: Microsoft Azure (AS8075)
  • Region: Malaysia West (Kuala Lumpur)

The infrastructure is hosted on a Microsoft Azure virtual machine in the Malaysia West region, which became generally available in May 2025.

A substantial collection of attacker-controlled files was identified on this infrastructure, including target-specific Python scripts, webshell deployment tools, a Laravel RCE exploit chain, and source code for custom C2 components.



Attack Operations

Enumeration and Attack Operations

Analysis of the identified tooling indicates a structured, modular approach, with distinct tools prepared for different stages of enumeration, access, and extraction, as well as for specific functions within the target environment.

Target: Internal network — e[REDACTED].gov.my

e[REDACTED].gov.my is a Malaysian government domain supporting administrative functions, with attacker access confirmed to its internal network.

  • analyze_[REDACTED].py — uses an administrator-authenticated localhost WinRM session and embedded MSSQL credentials to execute PowerShell-based SQL queries against an internal database server on the target's private network, supporting validation of database access and direct query execution within the target environment.
Source code of analyze_[REDACTED].py showing WinRM session and embedded MSSQL credentials used for internal database access

Figure 1. analyze_[REDACTED].py — embedded MSSQL credentials and direct database access against an internal server

  • asset_owner_check.py — uses an administrator-authenticated localhost WinRM session to inspect, validate, and prepare asset ownership datasets stored within the target environment, including file integrity checks, size verification, and compressed archive generation for subsequent collection activities.
Source code of asset_owner_check.py showing file integrity checks, size verification, and archive generation via WinRM

Figure 2. asset_owner_check.py — asset ownership dataset inspection and compressed archive preparation via WinRM

  • check_cophoto.py — uses an administrator-authenticated localhost WinRM session and embedded MSSQL credentials to query and inspect photo-related records within the target database, including validation of column types.
Source code of check_cophoto.py showing MSSQL queries targeting photo-related records and column type validation

Figure 3. check_cophoto.py — MSSQL-based photo record enumeration and column type validation

A suite of purpose-built Python scripts was identified, as shown in the following image.

Directory listing of modular attack tools targeting the internal network

Figure 4. Modular attack tool list (1) — internal network

Target domain: h[REDACTED].e[REDACTED].gov.my

h[REDACTED].e[REDACTED].gov.my is a Malaysian government portal hosted under the e[REDACTED].gov.my domain.

A separate suite of purpose-built scripts targeting this domain directly was also identified, as shown in the following image.

Directory listing of modular attack scripts targeting the domain, including enumeration, cracking, and dump tools

Figure 5. Modular attack tool list (2) — domain

One of the scripts, h[REDACTED]_alt_creds.py, interacts with an exposed rpc.asp endpoint to execute remote Windows commands via WScript.Shell object creation, using HTTP POST requests to submit encoded command execution payloads.

Source code of h[REDACTED]_alt_creds.py showing HTTP POST-based remote command execution via WScript.Shell through an exposed rpc.asp endpoint

Figure 6. h[REDACTED]_alt_creds.py — remote command execution via exposed rpc.asp endpoint

h[REDACTED]_targeted.txt, containing 126 target passwords, was used as input for operations against this target domain.

Contents of h[REDACTED]_targeted.txt showing 126 target passwords used in domain attack operations

Figure 7. h[REDACTED]_targeted.txt — 126 target passwords used in attack operations

In addition to the scripts above, two components handled remote execution and data transfer:

Remote Command Execution via RPC

deploy.py contains an RPC_URL pointing to an external HTTPS endpoint, enabling the attacker to execute commands on compromised systems through RPC calls from outside the target network. This provides a low-visibility channel for issuing instructions without direct interactive access.

Source code of deploy.py showing RPC_URL configuration pointing to an external HTTPS endpoint for remote command execution

Figure 8. deploy.py — external RPC endpoint configuration enabling remote command execution

External Data Exfiltration to Cloudflare Storage

gen_photo_upload.py implements upload logic targeting an external Cloudflare-hosted storage endpoint. This script was used to transfer exfiltrated files out of the compromised environment to attacker-controlled external storage.

Source code of gen_photo_upload.py showing upload logic targeting a Cloudflare-hosted external storage endpoint

Figure 9. gen_photo_upload.py — exfiltrated file transfer to attacker-controlled Cloudflare storage


Credential Dump and Data Exfiltration

Target domain: j[REDACTED].gov.my

j[REDACTED].gov.my is the official portal of a Malaysian government administrative entity.

Exfiltrated artifacts identified from the attacker's infrastructure indicate extensive compromise of this target:

  • j[REDACTED]_dc_SAM, j[REDACTED]_dc_SECURITY, j[REDACTED]_dc_SYSTEM — Windows registry hive files exfiltrated from the domain controller. Combined possession of these registry hive files enables offline extraction of local account password hashes and LSA Secrets using tools such as impacket-secretsdump or Mimikatz.
Exfiltrated Windows registry hive files (SAM, SECURITY, SYSTEM) from the domain controller of j[REDACTED].gov.my identified from attacker infrastructure

Figure 10. Exfiltrated domain controller registry hive files (SAM, SECURITY, SYSTEM) identified from attacker infrastructure

  • j[REDACTED]_dc_dump.ntds — output file from an NTDS dump, confirming that Active Directory credential hashes were extracted from the domain controller.
Contents of j[REDACTED]_dc_dump.ntds showing extracted Active Directory credential hash entries from the domain controller

Figure 11. j[REDACTED]_dc_dump.ntds — NTDS dump output confirming extraction of Active Directory credential hashes

The presence of the NTDS dump output confirms that credential extraction was executed, not merely staged. Domain-level password hashes recovered through NTDS access provide the attacker with persistent access potential and lateral movement capability across the affected environment.


Webshell Deployment

Target domain: r[REDACTED].gov.my

r[REDACTED].gov.my (IP: 103.156.***.***) is a Malaysian government-associated portal.

shell21.py contains code to upload a PHP webshell (health.php) to this target. At the time of analysis, the webshell was confirmed to be active on the target server, providing the attacker with persistent remote command execution capability.

Source code of shell21.py showing PHP webshell upload logic targeting r[REDACTED].gov.my

Figure 12. shell21.py — PHP webshell (health.php) upload code confirmed active on the target server

The directory containing shell21.py also included multiple related webshell variants, auxiliary deployment scripts, and associated execution log files, suggesting iterative development and operational reuse of the tooling set.

Directory listing showing multiple webshell variants, auxiliary deployment scripts, and execution log files indicating iterative development

Figure 13. Attacker directory containing webshell variants, auxiliary deployment scripts, and execution logs



Exploitation Techniques

Laravel RCE Exploit Chain

laravel_rce.php targets e[REDACTED].[REDACTED].com.my, operated by a Malaysian Mobile Virtual Network Operator (MVNO) as a dedicated customer identity verification platform.

Source code of laravel_rce.php showing five chained Laravel RCE gadget chain iterations using PHPGGC and AES-256-CBC encryption

Figure 14. laravel_rce.php — five-chain Laravel deserialization RCE exploit

The PHP script iterates through five Laravel RCE gadget chains in sequence. It uses PHPGGC to generate serialized payloads and encrypts them with AES-256-CBC using a Laravel APP_KEY. The resulting payloads are consistent with Laravel-compatible encrypted deserialization payloads capable of invoking system commands.



Custom C2 Tooling

A notable finding from this investigation is the identification of previously undisclosed source code for both a beacon generator and a C2 controller from attacker-controlled infrastructure.

beacon.cs — C# Beacon Generator (Undisclosed)

beacon.cs is the source code for a C#-based malware beacon. This is not a publicly known or commercially available implant; the source code represents a private, unpublished version of the beacon generation component.

Source code excerpt of beacon.cs showing the undisclosed C#-based malware beacon implementation

Figure 15. beacon.cs — undisclosed C# beacon source code identified from attacker infrastructure

Additional source code view of beacon.cs showing beacon configuration and communication logic

Figure 16. beacon.cs — beacon configuration and communication logic from the undisclosed C# source

listener_http.py — Python C2 Controller (Undisclosed)

listener_http.py implements an HTTP-based C2 controller written in Python. Like the beacon, this controller has not been publicly disclosed. It is designed to receive and manage communications from beacons deployed on compromised hosts.

Source code of listener_http.py showing the undisclosed Python-based HTTP C2 controller implementation

Figure 17. listener_http.py — undisclosed Python-based HTTP C2 controller source code

The pairing of a custom beacon generator with a dedicated listener controller suggests the attacker operates a self-maintained C2 framework, independent of publicly available tooling.



Assessment

This campaign reflects a structured, multi-target intrusion operation with the following characteristics:

  • Purpose-built tooling per target: The development of discrete Python scripts for each target and each operational function — enumeration, access, exfiltration — reflects significant pre-operation preparation and operational discipline.
  • Confirmed data exfiltration: NTDS dump output identified from attacker infrastructure confirms that credential extraction was completed, with domain-wide password hashes likely in attacker possession.
  • Active persistence: A live webshell on r[REDACTED].gov.my indicates that access to at least one target remains active.
  • Private C2 framework: Possession of unpublished beacon and controller source code places this actor beyond the profile of commodity threat actors relying on publicly available tools.

The identified activity demonstrates a structured and modular intrusion workflow involving credential extraction, custom tooling, and private C2 infrastructure across multiple Malaysian government-related environments.



Conclusion

This investigation reveals a targeted intrusion operation against multiple Malaysian government organizations, characterized by purpose-built Python tooling per target, domain-level credential extraction, active webshell deployment, and a chained Laravel RCE exploit.

The presence of previously undisclosed C# beacon and Python C2 controller source code further distinguishes this actor, reflecting a self-maintained offensive framework beyond commodity tooling.

Organizations affected by this type of intrusion activity should prioritize immediate webshell removal, full domain-level password resets, and comprehensive artifact review to limit the attacker's continued access potential.