Ransomware Groups Pivot: The Rise of Weyhro C2, a New Advanced Command-and-Control Platform
Within cybercriminal circles, the emergence of a new command-and-control framework known as Weyhro C2 has been observed. Its promotion coincides with the activity of a ransomware group bearing the same name, suggesting an effort to diversify revenue streams by commercializing ready-made offensive tooling.
In early December, a user operating under the alias Weyhro posted an advertisement on an underground forum offering Weyhro C2 for sale, presenting it as an advanced toolkit for covert operations backed by a full-fledged command server infrastructure. The product is marketed as a means of evading antivirus software and intrusion detection systems in corporate environments, spanning the entire compromise lifecycle—from initial access to persistence and post-exploitation.
Weyhro C2 is built on a modular architecture. Its components include a remote command shell, a SOCKS5 proxy for traffic tunneling, a stealthy HVNC remote desktop module capable of hijacking browser sessions, and functionality for handling Kerberos tickets. Additional features encompass file management and sophisticated evasion techniques, such as polymorphism, data encryption, and the disabling of built-in Windows security mechanisms.
Researchers note that the malicious agent operates entirely in memory and is deployed via a dedicated loader. Distribution follows a subscription-based model priced at approximately USD 3,000 per month, with payments accepted in cryptocurrency. The seller explicitly prohibits the use of the tool within CIS countries.
Analysis indicates that Weyhro C2 is closely linked to the Weyhro ransomware group, which surfaced in the spring of 2025. The overlap in timing and infrastructure strongly suggests a single operator who has chosen to move beyond data encryption and begin selling proprietary tools to other actors in the underground ecosystem.
Technically, Weyhro C2 incorporates an elaborate system for concealing strings and functions using the ChaCha20 algorithm, a custom AES implementation to decrypt auxiliary components, and mechanisms for loading executable code without writing it to disk. To counter defensive controls, it restores original Windows libraries from the file system and disables ETW logging and the AMSI interface by patching code in memory.
Persistence is achieved by copying the executable into the AppData directory and adding an entry to the registry’s autorun keys. For lateral movement and deeper compromise, the framework supports code injection into legitimate Windows processes and the deployment of a hidden execution environment invisible to the user.
That said, analysts point to a notable weakness: communication with the command server occurs in plaintext, without encryption, making the activity easier to detect through network traffic analysis. Even so, the appearance of Weyhro C2 reinforces a broader trend in which ransomware operators increasingly pivot toward selling generalized attack platforms as a service.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
