Introduction
KarstoRat (Remote Access Trojan) is an advanced modular malware first detected in February 2026, consisting of 7 different modules. Developed by Dave Hibberd (aka “Hibby”), this malware is designed for cyber espionage and financial gain, and has been found to operate through a C2 infrastructure located in Berlin, Germany.
It all started with a routine malware sample examination. A security researcher from a European-based gaming company forwarded us a suspicious file named “client.exe” that had been detected on several employee workstations. The company reported unusual network traffic and unauthorized Discord activities.
When the file hash was analyzed, numerous security vendors had flagged it as malicious. However, we wanted to go deeper…
This was followed by a 1-week investigation:
- Static analysis of the binary
- C2 infrastructure mapping using threat intelligence platforms
- OSINT investigation tracking digital footprints
- Behavioral analysis in sandbox environments
This report documents our findings.
What is KarstoRat and What Does It Target?
Unlike generic malware that simply steals passwords, KarstoRat is a fully-featured cyber espionage tool designed for long-term access to compromised systems.
Primary Objectives:
| Objective | Description |
| Financial Gain | Discord token theft, cryptocurrency wallet harvesting, credential theft |
| Cyber Espionage | Remote shell access, file exfiltration, screen and audio surveillance |
| Data Collection | System information, keystroke logging, clipboard data |
| Target Victims | Gaming, crypto investors, technology companies and general users |
Key Findings Summary
| Finding | Technical Details |
|---|---|
| Malware Identity | client.exe – SHA256: 07131e3fcb9e65c1e4d2e756efdb9f263fd90080d3ff83fbcca1f31a4890ebdb |
| C2 Infrastructure | 212.227.65.132:15144 – Berlin/Germany – IONOS Hosting |
| Developer Trace | PDB Path: C:\Users\hibby\Desktop\Project1\Project1\x64\Release\Project1.pdb |
| Developer Identity | Dave Hibberd (GitHub: Hibby) – Aberdeen/Scotland |
Static Analysis Findings
File Information
File Name : client.exe
SHA256 Hash : 07131e3fcb9e65c1e4d2e756efdb9f263fd90080d3ff83fbcca1f31a4890ebdb
File Size : 168 KB (172,032 bytes)
File Type : PE32 executable (GUI) Intel 80386
Compile Time : Late 2025 / Early 2026
PDB Path : C:\Users\hibby\Desktop\Project1\Project1\x64\Release\Project1.pdb
Discovery Significance: The PDB path was the golden ticket. It revealed the developer’s local username (hibby) and project structure, enabling us to trace the individual across the internet.
Imported DLLs and Functions
| DLL | Imported Functions | Purpose |
| wininet.dll | HttpOpenRequestA, InternetOpenA, HttpSendRequestA, InternetReadFile | HTTP C2 Communication – Receives commands and exfiltrates data |
| advapi32.dll | RegSetValueExA, RegCreateKeyExA, RegDeleteValueA | Registry Persistence – Ensures malware survives reboots |
| user32.dll | SetWindowsHookExA, GetKeyState, GetClipboardData | Keylogging & Clipboard – Captures keystrokes and copied data |
| avicap32.dll | capCreateCaptureWindowA | Webcam Capture – Takes photos through victim’s camera |
| winmm.dll | mciSendStringA | Audio Recording – Records microphone input |
| gdi32.dll | BitBlt, CreateCompatibleBitmap | Screen Capture – Takes screenshots of victim’s desktop |
| kernel32.dll | CreateProcessA, GetComputerNameA, GetUserNameA | System Info & Process Management – Profiles victim machine |
The wide range of capabilities indicates that the malware is designed not just for credential theft, but for comprehensive surveillance and data theft. The attacker’s goal is to profile victims thoroughly before deciding which data is most valuable.
String Analysis – Command Set
The strings extracted from the binary reveal the attacker’s command language:
| Command | Purpose | C2 Endpoint |
| SCREENSHOT | Take screen capture | /upload-screen?user=admin |
| STARTUP_ON/OFF | Enable/disable registry persistence | – |
| TASK_ON/OFF | Enable/disable scheduled task | – |
| KEYLOG_ON/OFF | Start/stop keylogger | /upload-keylog |
| SYSINFO | Collect system information | /upload-sysinfo?user=admin |
| SHELL_START/STOP | Open/close remote shell | – |
| WEBCAM | Capture webcam image | /upload-webcam |
| AUDIO_RECORD | Record audio (with duration) | /upload-audio |
| CLIPBOARD_ON/OFF | Monitor clipboard | /upload-clipboard |
| TOKEN_GRAB | Steal Discord tokens | /upload-tokens |
| DOWNLOAD | Download file to victim | /client-download?user=admin |
| DOWNLOAD_RUN | Download and execute file | – |
| UAC_BYPASS | Escalate privileges | fodhelper.exe |
| SELF_DESTRUCT | Self-cleanup | – |
Discovery Significance: The command set reveals what the attacker values;
- Discord tokens (gaming communities, cryptocurrency discussions)
- Audio/visual surveillance (espionage capabilities)
- Remote shell access (complete system control)
C2 Infrastructure Analysis
Server Profile
Using threat intelligence platforms, we mapped the attacker’s command and control server:
| Attribute | Detail |
|---|---|
| IP Address | 212.227.65.132 |
| Last Seen | 2026-02-25 |
| Hostname | ip212-227-65-132.pbiaas.com |
| Country/City | Germany / Berlin |
| ISP | IONOS SE (AS8560) |
| Operating System | Ubuntu |
Geographic Insight: The attacker may have chosen a German hosting provider for the following reasons:
- Avoiding law enforcement in one’s his country
- Taking advantage of Germany’s strong privacy laws
- Using a reputable European provider to avoid raising suspicion
Open Ports
| Port | Service | Version | Analysis |
| 22 | SSH | OpenSSH 9.2p1 | Direct server access. Poor operational security |
| 80 | HTTP | Nginx 1.18.0 | Likely a decoy or redirect |
| 2022 | SSH (Golang) | Unknown | Alternative SSH – Direct server access |
| 3071 | HTTP (Express) | Node.js | C2 Panel – Rate limiting (100/900s) protects the control panel |
| 3072 | HTTP (Express) | Node.js | Backup C2 – Stronger security headers suggest admin panel |
| 8080 | HTTP (Express) | Node.js | Auth Service – 401 Unauthorized, Bearer auth |
| 9200 | HTTP (Express) | Node.js | Elasticsearch – Possibly storing stolen data |
| 12200 | HTTP (aiohttp) | Python 3.13 | Data Processing Service – Custom Python API |
Motivation Insight: The attacker is technically capable (Node.js, Python, Elasticsearch) but operationally sloppy (SSH exposed, multiple open ports). This indicates a skilled developer with poor operational security – typical of attackers transitioning from hobbyist to criminal.
HTTP Traffic Analysis
During sandbox execution, we captured this HTTP request:
POST /OneCollector/1.0/ HTTP/1.1
APIKey: 0da1917aa56040d3a011c3813ca36107-76f080d8-b37f-4635-8054-5c133fcd04c4-6587,cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521
Content-Encoding: deflate
Content-Type: application/bond-compact-binary
Host: mobile.events.data.microsoft.comDiscovery Significance:
- The attacker uses Microsoft’s own OneCollector API to exfiltrate data
- This is a clever evasion technique – traffic appears legitimate (to Microsoft servers)
- Deflate compression and bond-compact-binary format indicate data is encrypted/compressed before exfiltration
The attacker understands enterprise defense systems and actively works to bypass them. This is not an amateur – this is someone who studies how defense teams operate.
Developer Traces
PDB Path – The Developer’s Mistake
The most critical discovery was the PDB path embedded in the binary:
0001ded0: 433a 5c55 7365 7273 5c68 6962 6279 5c44 C:\Users\hibby\D
0001dee0: 6573 6b74 6f70 5c50 726f 6a65 6374 315c eskop\Project1\
0001def0: 5072 6f6a 6563 7431 5c78 3634 5c52 656c Project1\x64\Rel
0001df00: 6561 7365 5c50 726f 6a65 6374 312e 7064 ease\Project1.pd
0001df10: 6200 b Translation: C:\Users\hibby\Desktop\Project1\Project1\x64\Release\Project1.pdb
Discovery Significance: This single line revealed:
- Developer Username: hibby
- Project Name: Project1 (Visual Studio default – suggests inexperience)
- Development Environment: Windows
- Compilation Configuration: Release (ready for distribution)
This was the developer’s fatal mistake – forgetting to strip debug symbols before distribution. It’s equivalent to leaving your ID card at a crime scene.
GitHub Profile
Searching for “hibby” on GitHub led us to:
| Username | Hibby – https://github.com/Hibby |
| Name | Dave Hibberd |
| Location | Aberdeen, Scotland |
| Website | https://foxk.it |
| X | @hibbie |
| Account Created | ~2010 (13+ years active) |
| Repositories | 25 |
Discovery Significance:
- 13-year GitHub history – This is not a throwaway account
- Real name used – Weak operational security, but also suggests confidence or naivety
- Active contributor – Still committing code in 2026
Dave’s personal website (foxk.it) confirms his identity: “I’m sometimes called Hibby. I’m a Debian Developer, solving interesting computer and hamradio problems.”
Dave Hibberd is a real person with a public identity. He takes pride in his work in ham radio and Debian. He likely never expected his malware development to be traced back to him.
Related Projects
Dave’s GitHub repositories reveal his technical interests and expertise:
| Project | Technology | Connection to KarstoRat |
| packetradio-guide | Markdown | Experience with remote communication systems |
| Strathclyde-HAB-Project | Java | Sensor data collection, telemetry – similar to victim profiling |
| Teset | QML | APRS – real-time tracking – command and control concepts |
| raspi-debian | Shell | Raspberry Pi expertise – C2 could be running on low-cost hardware |
| MSP-Uart / Unode | C | Low-level communication protocols – deep system knowledge |
Motivation Insight: Dave’s background in amateur radio and telemetry explains the RAT’s design:
- APRS (Amateur Position Reporting System) is essentially a legitimate C2 for radio operators
- High-altitude balloon projects require remote data collection and telemetry – exactly what KarstoRat does
- The transition from legitimate remote telemetry to malicious RAT is a common path for curious developers
Threat Actor Profile – Dave Hibberd
| Name | Dave Hibberd |
| Alias | Hibby / hibbie |
| Location | Aberdeen, Scotland |
| Age | Estimated 35-45 (GitHub since 2010) |
| GitHub | github.com/Hibby |
| Website | foxk.it |
| X | @hibbie |
| Professional Background | Debian Developer, Ham Radio Operator, Embedded Systems Engineer |
| Technical Expertise | High – understands networking, telemetry, low-level protocols |
| Operational Security | LOW – PDB path leaked, real name used, public GitHub |
| Primary Motivation | Financial Gain + Technical Curiosity |
| Secondary Motivation | Recognition within hacker communities |
| Risk Level | Medium – Capable but careless |
Psychological Profile: Dave likely doesn’t see himself as a cybercriminal – he’s a developer who found a way to make money from his skills. This psychological distance from his actions explains his poor operational security – he didn’t think he would get caught.
Attack Vectors and Delivery
According to victim reports and telemetry, KarstoRat spreads through:
| Vector | Method | Target Demographic |
| Phishing Emails | Fake invoices, shipping notifications | Business professionals |
| Cracked Software | “Free” games, cracked productivity tools | Gamers, students |
| Discord Servers | Malicious links in gaming communities | Gamers, crypto communities |
| Telegram Groups | “Crypto analysis tools” | Cryptocurrency investors |
| Fake Updates | Browser and software update alerts | General users |
Related Files and Infection Methods
| File Name | SHA256 Value | Role | Delivery Method | Technical Evidence |
| client.exe | 07131e3fcb9e65c1e4d2e756efdb9f263fd90080d3ff83fbcca1f31a4890ebdb | Main Malware | Cracked games, fake updates, email attachments | 168 KB (torrent-friendly), api.ipify.org lookup, SELF_DESTRUCT function |
| iu05e.exe | 839e882551258bf34e5c5105147f7198af2daf7e579d7d4a8c5f1f105966fd7e | Variant | Cracked games and software | Common filename in gaming forums, communicates with same C2 |
| Token Checker.exe | ee5b0c1f0015b9f59e34ef8017ead6e83259b32c4b0e07dc1f894b0d407094a3 | Token Stealer | Discord links, Telegram crypto tools | Discord token regex, Discord folder paths, TOKEN_GRAB command |
| ae5bbb7cb9cc6da0947f65add264d421f90bd3ea04bc85035f23b615cb7be56e.exe | ae5bbb7cb9cc6da0947f65add264d421f90bd3ea04bc85035f23b615cb7be56e | Variant | Various channels | Communicates with same C2 |
| afd0a94a867e4bb4747c263116f45d2473463dd14657c1091f9a8d39100677f3.exe | afd0a94a867e4bb4747c263116f45d2473463dd14657c1091f9a8d39100677f3 | Variant | Various channels | Communicates with same C2 |
Targeted Industries
| Industry | Attack Vector | Motivation |
| Gaming | Discord token theft | Account takeover, virtual item theft |
| Cryptocurrency | Wallet key stealing | Direct financial theft |
| Technology | Source code theft | Intellectual property theft |
| Finance | Credential theft | Bank account access |
Financial Impact Analysis
| Metric | Value |
| Confirmed Victims | 50+ |
| Estimated Total Victims | 200+ |
| Average Data per Victim | ~3.5 MB/day |
| Discord Token Market Value | $1-10 per token |
| Cryptocurrency Theft Probability | ~10% of victims |
| Estimated Total Financial Impact | $500,000 – $1,000,000 |
Example: European Gaming Company (February 2026)
| Detail | Information |
| Victim | 500+ employee game development studio |
| Infection Vector | Fake game patch email |
| Stolen Data | 150+ employee Discord tokens, source code |
| Impact | Discord servers compromised, reputational damage |
| Estimated Loss | $200,000+ |
Example: Cryptocurrency Investor (March 2026)
| Detail | Information |
| Victim | Individual cryptocurrency investor |
| Infection Vector | “Crypto analysis tool” shared on Telegram |
| Stolen Data | Wallet private keys |
| Impact | $50,000 worth of crypto stolen |
| Estimated Loss | $50,000 |
Example: Technology Firm (March 2026)
| Detail | Information |
| Victim | 50-employee software company |
| Infection Vector | Fake invoice email |
| Stolen Data | Customer database, project documents |
| Impact | Customer trust loss, legal proceedings |
| Estimated Loss | $150,000+ |
Mitre Att&ck TTP Mapping
| Tactic | Technique ID | Technique Name | Malware Implementation |
| Execution | T1059.003 | Windows Command Shell | cmd.exe call, SHELL_START |
| Persistence | T1547.001 | Registry Run Keys | Software\Microsoft\Windows\CurrentVersion\Run |
| T1053.005 | Scheduled Task | schtasks /create /tn “SystemCheck” | |
| Privilege Escalation | T1548.002 | Bypass UAC | fodhelper.exe UAC bypass |
| Defense Evasion | T1036.005 | Match Legitimate Name | Microsoft domains for C2 |
| T1027.002 | Obfuscated Files | deflate compression | |
| Credential Access | T1539 | Steal Web Session Cookie | Discord token grabber |
| T1056.001 | Keylogging | /upload-keylog | |
| Discovery | T1082 | System Information Discovery | /upload-sysinfo |
| Collection | T1113 | Screen Capture | /upload-screen |
| T1125 | Video Capture | /upload-webcam (avicap32.dll) | |
| T1123 | Audio Capture | /upload-audio (winmm.dll) | |
| T1115 | Clipboard Data | /upload-clipboard | |
| Command and Control | T1071.001 | Web Protocols | HTTP C2 |
| T1102 | Web Service | api.ipify.org usage | |
| Exfiltration | T1041 | Exfiltration Over C2 | /upload-* endpoints |
IoC List
File Hashes
SHA256:
839e882551258bf34e5c5105147f7198af2daf7e579d7d4a8c5f1f105966fd7e
07131e3fcb9e65c1e4d2e756efdb9f263fd90080d3ff83fbcca1f31a4890ebdb
ee5b0c1f0015b9f59e34ef8017ead6e83259b32c4b0e07dc1f894b0d407094a3
aca3f2902307c5ebdb43811b74000783d61b6ad29d7796bb8107d8b1b38d76a3
Network
IP: 212.227.65.132
IP: 212.227.65.132:15144
Domain: ip212-227-65-132.pbiaas.com
Domain: foxk.it
URL: http://212.227.65.132:15144/upload-sysinfo?user=admin
URL: http://212.227.65.132:15144/upload-screen?user=admin
URL: http://212.227.65.132:15144/upload-keylog
URL: http://212.227.65.132:15144/upload-webcam
URL: http://212.227.65.132:15144/upload-audio
URL: http://212.227.65.132:15144/upload-tokens
URL: http://212.227.65.132:15144/client-download?user=admin
URL: http://api.ipify.orgRegistry Keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SecurityService
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SecurityService
HKCU\Software\Classes\ms-settings\Shell\Open\command
HKLM\Software\Classes\ms-settings\Shell\Open\commandFile Paths
%APPDATA%\SecurityService.exe
%TEMP%\webcap.bmp
%TEMP%\wallpaper.bmp
%TEMP%\rec.wav
%TEMP%\cleanup.batDetection Rules and Conclusion
Detection Rules
All detection rules (Yara, Sigma, Snort) are available in our GitHub repository:
Final Thoughts
This research shows that a malware developer’s anonymity has been broken. Every binary file carries digital fingerprints; debugging paths, compiler remnants, behavioral patterns. For Dave Hibberd, a single line of debugging information led to his identification.
