Information Security 2 min read

Analyzing an AI‑Developed C2 Remote‑Access Trojan Framework

The article details an AI‑crafted C2 remote‑access trojan framework hosted at 101.32.128[.]36:8443, describing its Go implant, Python listener, PowerShell stager, custom 443‑based encryption, Telegram bot exfiltration, the payload delivery chain via paste.rs and GitHub Gist, and provides sample hashes for the binaries.

Black & White Path

Apr 25, 2026

Analyzing an AI‑Developed C2 Remote‑Access Trojan Framework

Open directory address

101.32.128[.]36:8443

Logs show repeated “prank” keywords, suggesting the framework is still in testing.

Component composition

Go implant

Python listener / CLI

PowerShell stager

Custom encrypted protocol over port 443

Data exfiltration via a Telegram bot

Payload delivery chain

Payloads are hosted on paste.rs and linked through a GitHub Gist. paste.rs/ei7cC contains

install.ps1 → stub.ps1

paste.rs/9NTrv

Attack flow

Shortcut hijacking → VBS/PowerShell execution → UAC bypass → loader → HKCU startup entry → polling agent → RAT deployment.

Sample hashes

belgorod.exe

871ceb0b6b187e66caad5e55e787040460b5b9f865ae8765fa741a0c741ffbb7

payload.bin (XOR‑obfuscated belgorod.exe)

efe7b09b00628d4ac649d6a378dafb146480abe49573af5eafa193f43181e0a0

Python Go malware analysis PowerShell Telegram bot Remote Access Trojan C2

Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.