Malware Analysis Threat Intelligence Reverse Engineering Crypto Security Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware A single MalwareBazaar sample, fed to our Caronte CTI platform, unfolded into 1,932 victims, six withdrawal wallets, and ~$148 ETH already moved to cold storage. All from intelligence Caronte extracted autonomously in minutes. Beelzebub Labs From researchers at beelzebub labs Table of Contents Research note: The API key used to enumerate this infrastructure was extracted from malware distributed publicly on MalwareBazaar. The same credential the threat actor embedded in their own agent to phone home from infected machines. No victim data was retained beyond the statistics reported here. No settings were modified. TL;DR Analysis performed autonomously by Caronte , our agentic CTI platform: from a single MalwareBazaar sample to full C2 attribution, victim enumeration, and on-chain fund tracking, in minutes, with no manual reverse engineering Needle is an active MaaS crypto-stealing platform with two live modules: a browser extension spoofer targeting MetaMask, Phantom, and Trust Wallet; and a Rust desktop agent impersonating Exodus, Trezor, and Ledger The Rust agent embeds its C2 API key without protection. Using it, we enumerated 1,932 victims and the attacker’s full withdrawal configuration across six blockchains The panel’s React SPA performed authentication entirely client-side: writing a structurally valid token to localStorage was enough to render the full admin dashboard, with no server validation of the UI routing layer The frontend bundle defines a write endpoint for the withdrawal configuration using the same agent key authentication scheme, meaning the same credential that phones home from infected machines could potentially redirect every future auto-withdrawal Key Findings at a Glance Category Details Sample Rust PE (Windows), v1.3, SHA256: d6ca3760...a490 C2 Stack React 19 SPA · Express.js API · nginx 1.29.8 Active Modules Desktop Wallet Spoofer · Browser Wallet Spoofer Victims 1,932 total (111 browser extension, 1,821 desktop sessions) Targeted Wallets MetaMask · Trust · Phantom · OKX · Exodus · Trezor · Ledger · Atomic · Guarda · Zelcore Campaign Window Active from April 18, 2026; ongoing at time of writing Auth Failures Unprotected agent key · client-side-only auth · unauthenticated builder C2 Infrastructure 130.12.180.135 (ports 3000, 8080, 8181) Confirmed Fund Movement EVM hot wallet: ~$148 ETH forwarded to cold storage Discovery: From MalwareBazaar to Full C2 Visibility A sample flagged as a Windows crypto-stealer surfaced on MalwareBazaar. We fed it to Caronte , our agentic CTI platform. From that single upload, Caronte ran the full analysis pipeline autonomously, with no manual reverse engineering required. Caronte started with binary classification: a stripped Rust PE, 8.9MB, unsigned, entropy 6.71, tagged on MalwareBazaar as RustyStealer , distributed via the Phorpiex spam botnet. It identified the egui desktop GUI framework from characteristic string patterns, traced the Rust panic handler paths to recover wallet impersonation targets ( zelcore , trezor , ledger ), and reconstructed the embedded configuration schema from the binary’s data segments. Static reverse-engineering also surfaced capabilities beyond the wallet spoofer: keylogging via GetAsyncKeyState (consistent with capturing seed phrases as typed, not only on submission), persistence via the Windows Run registry key, and anti-debugging techniques including SetUnhandledExceptionFilter and software breakpoint traps. The C2 IP resolved to ASN 202412 (Omegatech LTD, Amsterdam), a known bulletproof hosting provider with 27 OTX malicious pulses on record at time of analysis. The full analysis produced a threat graph of 94 nodes and 135 edges, matching 40 YARA rules across local and MalwareBazaar rulesets, including high-severity hits for keylogging, anti-VM evasion, and Rust-based stealer patterns. Within minutes of submission, Caronte had produced a complete operator profile: platform identity, C2 address, API key, and a live panel managing nearly two thousand victims. What Caronte produced autonomously Deliverable Output Binary classification Stripped Rust PE, 8.9MB, RustyStealer family Framework identification egui GUI, Phorpiex distribution Capability extraction Keylogging, persistence, anti-debug Embedded config recovery C2 URL and API key from binary data segments Infrastructure attribution ASN 202412 Omegatech, 27 OTX pulses Threat graph 94 nodes, 135 edges Detection coverage 40 YARA rule matches Time to intelligence Minutes vs. days of manual RE Everything below this section is verification and exploration built on top of Caronte’s autonomous output: the human-in-the-loop step. What is Needle? Needle is a modular MaaS (Malware-as-a-Service) platform. The panel is built around purchasable modules: operators activate what they need, the infrastructure stays shared. During our...