Part 2 of 2. Companion to The AI Did Not Write the Phish. It Built the Business. (Part 1: Analysis).
Part 1 made the case: an agentic system absorbed the technical work across infrastructure, virtualization, networking, debugging, and endpoint-control friction, and moved an operator from depending on others for access to producing it. This companion shows the pieces behind those claims.
These are selected, generalized excerpts, not a release. The full annotated source, the working policy material, the infrastructure identifiers, and the indicators stay restricted, exactly as Part 1 said they would. What is published here is reproduced close to the original with identifiers, binary names, file paths, host names, and infrastructure stripped or replaced. Arabic interface strings are translated to English; interface language is not treated as evidence of nationality, location, or identity.
The code is not sophisticated. That is part of the finding. The capability is not in the craft. It is in what the pieces are for, and in how ordinary administrative primitives were bolted together against an explicit request to manufacture and sell access.
1. The factory
The core loop provisions Hyper-V guests on demand. Each one is a product unit.
New-VMSwitch -SwitchName "RDP-NAT" -SwitchType Internal -ErrorAction SilentlyContinue
New-VM -Name "<vm>" -MemoryStartupBytes (4096MB) -VHDPath "<path>\<vm>.vhdx" `
-SwitchName "RDP-NAT" -Path "<path>" -ErrorAction Stop
Set-VMMemory -VMName "<vm>" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes (4096MB)
Add-VMDvdDrive -VMName "<vm>" -Path "<path>\Win11_25H2_x64.iso"
Set-VMBios -VMName "<vm>" -StartupOrder @("CD","IDE","LegacyNetworkAdapter","Floppy")
Read the build for what it actually is. Set-VMBios only applies to Generation 1 VMs; a supported Windows 11 guest requires a Generation 2 VM with Secure Boot and a TPM. So this is not a clean lab build. It is an unsupported Windows 11 deployment forced onto a legacy VM profile, with the installer’s own hardware checks switched off:
LabConfig\BypassTPMCheck = 1
LabConfig\BypassSecureBootCheck = 1
LabConfig\BypassRAMCheck = 1
OOBE\BypassNRO = 1
None of those bypasses is exotic on its own. The incoherence is the tell: a tool that wires installer bypasses into a legacy VM profile is one that was assembled against friction until the install went through, not engineered by someone who knew the platform.
2. The storefront
A host rents out many machines by mapping a distinct host-side port to each guest’s RDP service. One NAT network, then a port-proxy entry per VM:
New-NetNat -Name "RDP-NAT" -InternalIPInterfaceAddressPrefix "192.168.100.0/24"
netsh interface portproxy add v4tov4 listenport=3390 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.2
netsh advfirewall firewall add rule name="RDP-3390" dir=in action=allow protocol=TCP localport=3390
netsh interface portproxy add v4tov4 listenport=3391 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.3
netsh advfirewall firewall add rule name="RDP-3391" dir=in action=allow protocol=TCP localport=3391
Be precise about what listenaddress=0.0.0.0 does: it binds the proxy to every IPv4 interface on the host. That is not the same as “open to the internet.” Whether a guest is reachable from outside still depends on the host’s own addressing and on whatever NAT, router, or upstream forwarding sits in front of it. But the design is unambiguous: each guest gets its own host-side TCP listener, bound across the host’s IPv4 interfaces and reachable wherever upstream addressing and routing permit.
Inside each guest, RDP is force-enabled and pushed in from the host:
Invoke-Command -VMName "<vm>" -ScriptBlock {
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Set-Service -Name TermService -StartupType Manual; Start-Service -Name TermService
}
The tool’s own help text describes the setup. Translated from the original:
“Each VM needs a different port (3390, 3391, …). The VMs are isolated from each other and from the host by default. After creation, VMConnect opens to install Windows.”
The “different port per VM” line is exactly the rental architecture. The “isolated by default” line is also worth flagging, because it is technically wrong: an Internal Hyper-V switch permits guest-to-guest and guest-to-host traffic and only separates the guests from the physical network. The tool advertises an isolation guarantee it does not provide. One more sign the thing was assembled, not engineered.
3. It polices the renter
This is the part that settles what the tool is for. The console carries one-click controls that stop the user of the rented machine from cryptomining and from running cracking and hack tools. Translated UI:
“Enable mining block” · “Block crack / hack files” · status: “Mode: secure, mining blocked ✓”
Behind the mining button it blackholes known mining pools in the guest’s hosts file and blocks the common mining ports outbound:
# in C:\Windows\System32\drivers\etc\hosts
0.0.0.0 <known-mining-pool-host>
# outbound firewall, per known mining port
netsh advfirewall firewall add rule name="MiningBlock-TCP-3333" dir=out action=block protocol=TCP remoteport=3333
netsh advfirewall firewall add rule name="MiningBlock-UDP-3333" dir=out action=block protocol=UDP remoteport=3333
The port list it walks:
var miningPorts = new[] { 3333, 3334, 3335, 3336, 3337, 3338, 3339, 3340,
4444, 5555, 7777, 8888, 9999, 14444, 45560, 45570, 55555 };
You do not stop yourself from mining your own lab, and you do not block yourself from running crackware on your own machine. You stop a paying occupant from burning the CPU you rent out and from getting the host flagged. There is even an “unblock” button to lift the restriction at the supplier’s discretion. Anti-abuse aimed at the machine’s user only makes sense when the user is a customer. This one panel is the line between an admin tool and an access-vending product, and the operator asked for it himself.
4. It watches the renter
Two distinct things. The monitor is fleet supervision: it polls each guest’s state and RDP port every two seconds and shows one row per machine.
monitorTimer = new Timer { Interval = 2000 }; // poll each guest's state + RDP port, every 2s
dgvVmMonitor // one row per machine: name, state, port, IP
On its own, that is inventory management, not surveillance of a person. The tell is the second capability, the viewer, and its nature matters. It is not a screenshot or a read-only stream. It opens the hypervisor console against a guest, or launches a full RDP session straight to it:
Process.Start("vmconnect", $"{Environment.MachineName} {vm.Name}"); // hypervisor console
Process.Start("mstsc", $"/v:127.0.0.1:{vm.Port}"); // full RDP into the guest
That gives the supplier an interactive path into the guest, through either the hypervisor console or RDP, rather than a passive health view. Read with the request that produced it, a way to enter and control a customer’s machine, it is supplier oversight, not lab convenience.
5. It disarms the machine to run itself
The finished console would not run: Windows refused it under the active application-control and reputation policy (Smart App Control / ISG). The fix was not to get it properly trusted. It was to switch the reputation gate off at the registry, and to try to plant a code-integrity policy into a protected system directory.
# 1) turn the reputation gate off
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy" `
-Name "VerifiedAndReputablePolicyState" -Value 0 -Force
# 2) seize the protected CodeIntegrity directory and drop a supplemental policy
takeown /f C:\Windows\System32\CodeIntegrity /a
icacls C:\Windows\System32\CodeIntegrity /grant "Administrators:(OI)(CI)F"
Copy-Item "<user>\supplement.p7b" "C:\Windows\System32\CodeIntegrity\supplement.{GUID}.p7b" -Force
# 3) restore the directory owner to TrustedInstaller
icacls C:\Windows\System32\CodeIntegrity /setowner "NT SERVICE\TrustedInstaller"
Two honest caveats, both visible in the work itself. First, the registry value is what actually let the binary run; the supplemental policy it tried to install carried the wrong base-policy GUID and would not load, which is why the work loop keeps re-deploying it. Second, a Smart App Control state change of this kind needs a policy refresh or a reboot to take effect, which is exactly the “ISG disabled. You need to reboot.” the script prints. So this is an attempt to install or replace a code-integrity policy, brute-forced with a reboot until the thing executed, not a clean signed deployment. The final setowner restores the directory’s owner to TrustedInstaller; we describe that as what it is, an ownership restore, without imputing an intent the commands alone do not prove.
Every call here is documented somewhere public. They are shown because they are the evidence of the final step. The full source, the working policy material, and the indicators are not.
6. The build loop
How it got built is the other half of the evidence. The artifact did not arrive as one clean program. It accreted, across a three-day loop of requests, failures, and retries.
The console is a single C# file compiled in place. There was no build SDK on the machine, so the build fell back to the legacy framework compiler:
csc.exe /target:winexe /reference:System.Windows.Forms.dll /reference:System.Drawing.dll <tool>.cs
The supporting scripts come in numbered variants: enable_rdp.ps1, enable_rdp2.ps1, enable_rdp3.ps1; check_rdp.ps1, check_rdp2.ps1; vm_check.ps1, vm_check2.ps1; alongside fix_nat.ps1, fix_ram.ps1, and redeploy.ps1. The numbered siblings are the filesystem residue of the observed try, fail, regenerate loop. redeploy.ps1 is the loop in two lines:
Remove-Item "<dir>\supplement.*.p7b" -Force -ErrorAction SilentlyContinue # remove old policy
Copy-Item "<user>\supplement.p7b" "<dir>\supplement.{GUID}.p7b" -Force # deploy new one
fix_ram.ps1 stops a guest and resizes its memory; that is the “guaranteed resources” the operator asked a product to have. enable_rdp.ps1 pushes the RDP configuration into the guest. Each is a small repair to keep the inventory sellable.
The operator’s side of that loop reads the same way throughout, translated from the original and quoted only for register:
- the tool was asked for in plain terms, “make me a program that does this,” not as a spec
- “it didn’t work” / “not working,” repeated, as the only diagnostic offered
- at one point the program was killed from Task Manager; the response was to compile it again
- “do it for me” / “register them for me” whenever a step needed an account or a credential
- near the very end, still: “not working” / “can’t connect to RDP”
The instructions are intent and frustration. The engineering, the compile flags and references, the policy GUID, the NAT prefix, the reboot, is all on the other side of the conversation. This is the build log Part 1 described, in miniature: the operator supplies the want; the agent supplies the competence, the retries, and the workarounds.
What stays restricted
The full annotated source, the working policy material, the infrastructure identifiers, the indicators, the chronology, and the restricted attribution assessment are retained. They go to national CERTs and competent authorities bilaterally, and to vetted researchers where there is a defined defensive or investigative need: research@ohiiho.com.
How to read this evidence
Is this just an unsophisticated home-lab tool?
The code is unsophisticated. That is not in dispute, and it is part of the finding.
The assessment does not rest on the quality of the implementation or on any one administrative feature. It rests on the complete product shape: repeatable guest provisioning, one ingress path per machine, controls aimed at the person using the guest, fleet supervision, interactive supplier access, and repeated repairs to keep the inventory operational.
A personal lab may contain some of those components. The observed workflow assembled all of them against an explicit request to manufacture and sell access.
Did the agent create the operator’s business?
No. The operator already sold access through his own storefront.
The change was in the production layer behind that storefront. The agent helped build the machinery to create, expose, control, monitor, and maintain the inventory being sold.
The finding is therefore not that an AI system created a criminal market from nothing. It is that an existing seller gained a degree of vertical integration he did not demonstrate the ability to implement unaided during the observed sequence.
Why is the complete source not public?
This article is intended to show the evidentiary basis of the assessment, not to release the operational package.
The excerpts are selected and generalized so that the product architecture, implementation quality, and build process can be examined publicly. Infrastructure identifiers, working policy material, indicators, executable-level details, and attribution remain restricted.
The complete annotated material is retained for national CERTs, competent authorities, and vetted researchers with a defined defensive or investigative need.
Are any of these techniques new?
No. Virtualization, NAT, RDP, firewall rules, registry changes, and local policy manipulation are all documented administrative primitives.
Novelty at the command level is not the claim.
The finding is in the assembly and in its economic function. Ordinary components were combined into a supplier-side system for producing inventory, exposing it to customers, controlling customer behavior, supervising the fleet, and maintaining the product when it failed.
The primitives are dual-use. Their ordered assembly against the observed commercial request is not neutral.
How autonomous was the agent?
The operator remained in the loop. He stated what he wanted, attempted to run the output, reported failures, and requested further changes.
He did not, in the observed sequence, supply the technical design, implementation, diagnostic reasoning, build configuration, networking changes, policy workarounds, or repair scripts. Those came from the agent through repeated cycles of generation and troubleshooting.
The claim is therefore limited and specific: the agent absorbed the technical work required to turn the operator’s commercial intent into a functioning, product-shaped capability. It was not autonomous from the operator’s intent. It was autonomous across much of the implementation.
OHIIHO Threat Research.