#C&C Hacker On Every Start. Is There Any Hope?

My account has been disabled because an attacker/hacker continues to breach my said account and Shadow support continues to forward me to the ubiquitous 'knowledge base' - Then I'm forced to prove myself by showing documentation of Identity and past Purchases (understandable)... but there's a problem from a security standpoint. Rather than uploading through a secure form on a designated page with a randomly generated key bound to your case ID, you respond via EMAIL!!! AKA sending my ID through unencrypted email messages!!! WHY?

How do I get someone to take me seriously around here? Can I just have a call with a support person and they watch my machine and I explain what occurs exactly second by second. I understand the issue. I'm a programmer and security researcher in training. I know I am being targeted and this has lead to being accused of inappropriate use of my account. This is understandable because there is someone using remote access and maliciously controlling the machines I try to use for legitimate purposes. I'm trying to use the machines for very simple purposes. Someone is trying to prevent me from doing anything with said machines, to the point that my account is in jeopardy.

All I do is: 1) update windows 2) harden security with a non admin account 3) install Brave 4) install steam 5) play games with friends.

I just do not get how instant remote access upon startup is possible. Like as soon as I startup the machine, the bad actor has the IP address, logs in remotely creates a temp account installs New Relic (for monitoring - ironically I use that for work so it can be difficult to weed that out in my firewall), duplicate Registry entries, compromise windows signing authorities and launch a variety of background services that communicate with the C&C server. This happens by time I've finished updating windows. When I update, obviously, it finalizes their process. It limits my bandwidth to 7 mbps.

Is there any hope for me using this service?

To follow and rephrase for the rubric:

Hacker on Every Start of Box

Description
Read Above

Summary
Read Above

Troubleshooting

• Does this happen on when you use Shadow on other devices?

Yes. My 2019 Macbook Pro has the same issue. I believe it is a hacker living inside my network. I am unsure of how to rid my network of them completely aside from bringing in a Private Investigator, Lawyer and Research team to track them down.

• Is the issue present on different networks and or connection types?

Yes. I believe it is device specific, unrelated to the connection type. The hacker has infiltrated the firmware of my router and/or telecom systems so there is no direct method to gain access to internet without passing through their filtration system. As if it were a state-sponsored attack. Which is insane to think about. Like. I dont know what I could have done to make someone go after me like this. I use encryption to keep my life safe, not hide nasty things. I wouldn't hurt a fly, I'm a kind and caring person who's empathetic to others, probably more so than I should be. It often makes me come across as "soft."

• If it's an issue with a game or app, does the issue happen with other software?

Interestingly, yes. But in odd ways. I've tried a different service, Nvidia Geforce NOW and only some of my games sync to that service. So I've been a bit confused as to why. Or there background processes that run on my Mac that shouldn't be running that I often need to force quit in order to keep the machine running at a normal level.

• Datacenter

Portland 01 (before I was unable to see it, now I can)

• The country you're connecting from

California, United States of America, GMT-7

• Your ISP

AT&T Fiber

-Connection Type

Wifi 2.4 GHz mainly - sometimes 5Ghz, or rarely Ethernet (cat 6)

• OS and device model

Mac Mini 2020, M1 ARM, Sequoia 14.6.1, 16GB RAM, 1TB SSD

New Relic is a service used by Shadow.

Okay. That still doesn't explain the custom Services that are modified post setup of the box seem to use Command Prompt and SvcHost to tunnel traffic - almost at an alarming rate. So much so that when I attempt to connect later, my box either gives me the indication that the box has BSOD'd or I cannot connect because someone else is using the screen already and it asks if I want to use two screens - which is a clear indication to me that someone else is using my box, but I dont know how. I use a hardware security key to authenticate in and out of the website - unless theyve broken that security...

I'm just trying to figure out why I can't use this like I used to. It used to be so simple. Pay, push the button, use the system. Boom. Now it's like I'm in cyber warfare.

Sorry for all the whining. Support has been VERY helpful.

I have this too on my MacBook and I believe it’s a Mac OS issue and sometimes it doesn’t actually close down properly

Interesting. Yes that is a symptom. Support gave me FTP access to the drive. Then I was able to wipe it. I may to some forensic work, but I'm not sure what to make of it all.