Hands-on Keyboard Attack & Credential Stuffing Operation on MTS Domain Controller
2026-02-25
Ahmadou N’Diaye
MyDFIR
🔴 CRITICAL
An attacker known as AMIRMAHDI broke into the MTS main server through a remote access service that was left open to the internet with a stolen password. Once inside, they installed hidden tools to stay connected, turned off the security monitoring software, and created secret administrator accounts disguised as legitimate Windows accounts to avoid being caught. They also accessed three other computers on the network. Their main goal was to use MTS's server to test over 277,000 stolen usernames and passwords against Steam, ExpressVPN, and IPVanish. MTS was not their real target — they used MTS's trusted network to make their criminal activity look legitimate.
| Time (UTC) | Event |
|---|---|
| Feb 5, 06:59 AM | RDP into DC using administrator from 45.227.254.155 |
| Feb 5, 1:15:50 PM | Network auth into DC using administrator from 91.238.181.92 |
| Feb 5, 1:15:54 PM | Successful RDP into DC from 91.238.181.92 |
| Feb 5, 1:16:18 PM | TextIntelHost.exe executed — malware orchestrator launched |
| Feb 5, 1:16:19 PM | slhost.exe executed — local C2 server on port 8080 |
| Feb 5, 1:16:19 PM | deskt.lnk dropped into Startup folder - persistence established |
| Feb 5, 1:16:29 PM | banana_v001.lnk dropped into Startup folder - persistence established |
| Feb 6, 5:37:36 PM | Attacker checked Software Inventory Logging state |
| Feb 6, 5:38:14 PM | Gorelo RMM uninstalled - monitoring eliminated before main operation |
| Feb 6, 5:41:53 PM | RDP into mts-pc-1.mts.local from 100.98.208.110 using mts-administrator |
| Feb 6, 6:15:40 PM | RDP into mts-pc-2.mts.local from 100.98.208.110 |
| Feb 6, 6:40:37 PM | RDP into mts-pc-4.mts.local from 100.98.208.110 |
| Feb 6, 7:28:28 PM | Network connection into DC from 151.241.122.72 |
| Feb 7, 3:36:57 AM | TextIntelHost.exe re-executed via LNK persistence — curl http://localhost:8080/2025 called, fileless PowerShell payload delivered |
| Feb 7, 3:36:57 AM | LNK persistence files re-dropped (self-repairing mechanism confirmed) |
| Feb 7, 3:37:22 AM | Registry modified — dontdisplaylastusername=1, LogonType=0 (hide login screen activity) |
| Feb 7, 3:37:23 AM | RDP hardened — fDenyTSConnections=0, fAllowUnsolicited=1, fAllowUnsolicitedFullControl=1 |
| Feb 7, 3:37:24 AM | UserAuthentication=0 (NLA disabled), WDigest enabled — plaintext credentials now stored in LSASS |
| Feb 7, 3:37:30 AM | ARP executed — local network mapping |
| Feb 7, 3:37:31 AM | Network Discovery enabled via netsh |
| Feb 7, 3:37:34 AM | Active Directory Users & Computers launched via mmc.exe |
| Feb 7, 3:37:36 AM | AnyDesk installed silently — secondary persistent backdoor |
| Feb 7, 3:37:48 AM | AnyDesk password set — b4ouDLG9trr |
| Feb 7, 3:37:49 AM | AnyDesk hidden from Uninstall list via SystemComponent registry key |
| Feb 7, 3:38:04 AM | Domain name enumerated via WMIC, AnyDesk ID retrieved for callback |
| Feb 7, 3:38:55 AM | Guest account renamed to WDAGUtilityAccount (real Windows system account name) - identity theft to deceive defenders |
| Feb 7, 3:38:56 AM | New Guest account created as replacement - covering tracks |
| Feb 7, 3:38:57 AM | WDAGUtilityAccount added to Domain Admins, Enterprise Admins, Schema Admins |
| Feb 7, 3:38:57 AM | Guest removed from Users group to reduce enumeration visibility |
| Feb 7, 3:38:57 AM | PowerShell history deleted |
| Feb 7, 3:50:36 AM | Attacker authenticated using WDAGUtilityAccount (LogonType 3) - backdoor account validated |
| Feb 8, 5:32:45 AM | Last known authentication using WDAGUtilityAccount |
| Feb 10, 12:04:56 PM | LogonType 3 NTLM login into DC from 45.222.101.19 — Pass-the-Hash using NTLM hash harvested after WDigest was enabled |
| Feb 10, 12:05:00 PM | FVtSXffc.exe created under C:\Windows\ by ntoskrnl.exe - Impacket PSExec payload pushed over SMB |
| Feb 10, 12:05:02 PM | FVtSXffc.exe registered as service fHgq - random name consistent with Impacket tooling |
| Feb 10, 12:06:25 PM | svchost.exe spawn blocked by Microsoft Defender - payload execution prevented |
| Feb 10, 2:39:46 PM | Second LogonType 3 NTLM login from 45.222.101.19 - service implant check-in |
| Feb 10, 9:51:56 PM | zach.balrog account - attrib.exe -s -h executed to unhide hidden files |
| Feb 10, 9:57:31 PM | zach.balrog - 7zG.exe used to compress attacker toolkit under C:\Users\administrator\3D Objects |
| Feb 10, 10:13:07 PM | slhost.exe detected as Trojan by Microsoft Defender |
| Feb 10, 11:43:22 PM | user creator-newamooz.com.bat executed — third backdoor account creation scripted |
| Feb 10, 11:43:38 PM | SystemAdmin account created, password Amirmahdi0090, added to local Administrators |
| Feb 10, 11:43:38 PM | SystemAdmin hidden from Windows login screen via SpecialAccounts\Userlist registry key |
| Feb 10, 11:44:35 PM | Attacker authenticated using SystemAdmin (LogonType 3) |
| Feb 10, 11:44:42 PM | RDP from 2.190.78.59 using SystemAdmin — matches amirmahdi IOC |
| Feb 11, 12:01:46 AM | Python 3.10 installed under SystemAdmin profile |
| Feb 11, 12:03:43 AM | Steam Updated Checker.py first executed |
| Feb 11, 12:05:00 AM | pycryptodome library installed via pip |
| Feb 11, 12:22:17 AM | @TXTLogsCloud Logs-Tool V4.zip created — credential parsing tool deployed |
| Feb 11, 12:26:42 AM | DUMP ULP 04.02.2026 Base34 9.txt downloaded via Edge — 277,000+ stolen credentials |
| Feb 11, 12:46:00 AM | Credentials parsed — Extracted User and Passwords.txt created |
| Feb 11, 12:56:26 AM | DCSync attempt BLOCKED — ContainedUserRpcAccessBlocked on DRS interface using SystemAdmin |
| Feb 11, 12:58:54 AM | TextFileSplitter installed and executed |
| Feb 11, 12:59:57 AM | Credential splitting begins — _000001.txt created |
| Feb 11, 1:00:25 AM | Last split file — minimum 277 chunks (277,000+ credential pairs confirmed) |
| Feb 11, 1:01:11 AM | Credential stuffing begins — Steam checker — 1,915 connections — AMIRMAHDI hostname confirmed in telemetry |
| Feb 11, 1:04:31 AM | Last Steam stuffing connection |
| Feb 11, 1:45:44 AM | ExpressVPN checker launched |
| Feb 11, 1:52:00 AM | SOCKS5 proxy list loaded for IP rotation |
| Feb 11, 2:00:12 AM | IPVanish checker launched |
| Feb 11, 2:01 AM | ExpressVPN/IPVanish stuffing — 1,000 ConnectionSuccess, 967 ConnectionFailed |
| Feb 11, 2:09:21 AM | Final checker session — Steam Updated Checker |
WHO Attacker identified as AMIRMAHDI, a financially motivated cybercriminal who buys and sells stolen credentials. Confirmed through four independent evidence sources all pointing to the same person. Multiple operators likely involved.
WHAT The attacker broke in, installed hidden tools, disabled monitoring, created three secret admin accounts, accessed workstations, and ran a large-scale criminal operation using MTS infrastructure to test 277,000+ stolen credentials against external services.