Hunting New C2 Frameworks - Part 2 - Nexus C2, Shipped with Creds

A technical deep-dive into the Nexus C2/RAT ecosystem: the author identified an exposed web panel and analyzed frontend leaks and a 64-bit Windows implant that implements WebSocket/HTTPS C2, credential theft (including Chrome ABE bypass via injected helper DLL), keylogging, VNC/screen/audio streaming, persistence, update mechanisms, and anti-analysis checks. The report includes sample metadata (SHA256), C2 infrastructure (nexusc2.works, 192.253.248.13), operator IPs, infection counts (~287 hosts), and actionable IOCs for detection and blocking.