Another example of an Opsec failure in malware C2 Panels

 Introduction

This is not going to be a long article. I wrote some article before about blunders in malware infrastractures. Some threat actors make some bad mistakes and that could cost them their infrastructures or logs in case of stealers.

- This article shows an example of a simple bug that could cost the threat actors their entire infrastructure https://www.rootkall.com/2025/03/hacking-website-used-to-deliver-malware.html

- This one is about a Stealer called Gremlin, the logs were accessible via an "Index Of" page :p https://www.rootkall.com/2025/04/gremlin-stealer-strings-decryption.html

I wasn't really sure if I should write about this case but sharing knowledge is always good.

As you can see in the screenshot, someone shared a C2 panel, and I love these in the sense that I try to compromise them. I pointed out in an answer to the tweet the blunder error that is made.



The C2 Panel is Open source:

A quick search of "C2WebServer" in a search engine would yield you the github repository of the malware as well as the Web Panel.


Taking a look at the "login.php" code shows something very weird. Passwords are not hashed in the database :p


And where is the database? It is in the root folder of the web server :D


We can download it and read it DB Browser for example. We now have access to many interesting things.


We can see the users and their passwords. It seems like someone is just trying to mess around.


These don't seems like public addresses. So definitely, it is not a serious campaign.



Conclusion

Even though, this doesn't seem like a serious campaign. It does highlight the almost certain fact that every C2 Panel has a vulnerability and sometimes these are not really that complicated. I was not sure about writing this article but it seems like a good thing to share with people.

Comments