Pivoting on a malspam infrastructure delivering JS malware backed by bulletproof networks
A malspam infrastructure is distributing a JavaScript backdoor malware targeting various sectors globally, including energy and finance ministries in the CIS region. The campaigns appear financially motivated, aiming at email account compromise and business email compromise. The malicious infrastructure uses two bulletproof hosting networks: GHOSTYNETWORKS (a rebrand of OPTIBOUNCE linked to AnonRDP) and OMEGATECH (associated with Virtualine). These networks provide resilient hosting for both spam sending IPs and command-and-control servers. Historical analysis shows this threat actor has been active since late 2025 with related malspam and malware operations supported by similar bulletproof hosting services.
AI Analysis
Technical Summary
This threat involves a malspam campaign delivering a JavaScript backdoor malware. The infrastructure behind the campaign leverages bulletproof hosting networks—GHOSTYNETWORKS and OMEGATECH—to evade takedown and maintain persistence. GHOSTYNETWORKS is linked to the known provider AnonRDP and is favored by sophisticated threat actors like TeamPCP. OMEGATECH is connected to Virtualine and advertised on underground forums. The campaign targets multiple regions and sectors, notably energy and finance ministries in the CIS region, with the intent of financial gain through email account and business email compromise. The threat actor's infrastructure has been active since late 2025, indicating ongoing and evolving malicious activity.
Potential Impact
The malware facilitates email account compromise and business email compromise, potentially leading to unauthorized access to sensitive communications and financial fraud. The use of bulletproof hosting networks complicates mitigation efforts by providing resilient infrastructure that resists takedown. The targeting of critical sectors such as energy and finance ministries increases the potential impact on national and organizational security.
Mitigation Recommendations
No specific patch or remediation is applicable as this is a malware campaign leveraging bulletproof hosting infrastructure. Organizations should monitor for indicators of compromise related to JavaScript backdoors and implement email security controls to detect and block malspam. Collaboration with hosting providers and law enforcement may be necessary to disrupt the bulletproof networks. Patch status is not applicable; check the vendor advisory or threat intelligence updates for any emerging mitigation techniques.
Pivoting on a malspam infrastructure delivering JS malware backed by bulletproof networks
Description
A malspam infrastructure is distributing a JavaScript backdoor malware targeting various sectors globally, including energy and finance ministries in the CIS region. The campaigns appear financially motivated, aiming at email account compromise and business email compromise. The malicious infrastructure uses two bulletproof hosting networks: GHOSTYNETWORKS (a rebrand of OPTIBOUNCE linked to AnonRDP) and OMEGATECH (associated with Virtualine). These networks provide resilient hosting for both spam sending IPs and command-and-control servers. Historical analysis shows this threat actor has been active since late 2025 with related malspam and malware operations supported by similar bulletproof hosting services.
Reddit Discussion
Hello, we have just published a report on our blog concerning a malspam network spreading a JavaScript backdoor.
• The targets of those campaigns were from all regions and sectors, notably energy and finance ministries, including in the CIS region. • We believe the campaigns to be financially motivated and operated for email account compromise (EAC) and/or business email compromise (BEC).
• Both the IP used to send the spam, and the C2 of the JavaScript backdoor, were hosted on two distinct bulletproof networks; US based GHOSTYNETWORKS, and Seychelles based OMEGATECH.
• GHOSTYNETWORKS can seemingly be considered with a high level of confidence to be a rebrand of OPTIBOUNCE and thus be linked to the unfamous hosting provider AnonRDP. It was notably plebiscite by more sophisticated threat actors like TeamPCP.
• Based on various open-source intelligence, OMEGATECH seems to be yet another network created by hosting provider Virtualine, advertised on underground forums.
• Pivots on the threat actor’s infrastructure unveiled previous malspam and malware activities from the end of 2025, also backed by other bulletproof solutions.
Link for the report: https://www.intrinsec.com/wp-content/uploads/2026/05/TLP-CLEAR-Pivoting-on-a-malspam-infrastructure-EN.pdf
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a malspam campaign delivering a JavaScript backdoor malware. The infrastructure behind the campaign leverages bulletproof hosting networks—GHOSTYNETWORKS and OMEGATECH—to evade takedown and maintain persistence. GHOSTYNETWORKS is linked to the known provider AnonRDP and is favored by sophisticated threat actors like TeamPCP. OMEGATECH is connected to Virtualine and advertised on underground forums. The campaign targets multiple regions and sectors, notably energy and finance ministries in the CIS region, with the intent of financial gain through email account and business email compromise. The threat actor's infrastructure has been active since late 2025, indicating ongoing and evolving malicious activity.
Potential Impact
The malware facilitates email account compromise and business email compromise, potentially leading to unauthorized access to sensitive communications and financial fraud. The use of bulletproof hosting networks complicates mitigation efforts by providing resilient infrastructure that resists takedown. The targeting of critical sectors such as energy and finance ministries increases the potential impact on national and organizational security.
Mitigation Recommendations
No specific patch or remediation is applicable as this is a malware campaign leveraging bulletproof hosting infrastructure. Organizations should monitor for indicators of compromise related to JavaScript backdoors and implement email security controls to detect and block malspam. Collaboration with hosting providers and law enforcement may be necessary to disrupt the bulletproof networks. Patch status is not applicable; check the vendor advisory or threat intelligence updates for any emerging mitigation techniques.
Technical Details
- Source Type
- Subreddit
- ThreatIntelligence+threatintel+websecurityresearch
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":35,"reasons":["external_link","newsworthy_keywords:malware","established_author"],"isNewsworthy":true,"foundNewsworthy":["malware"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a2fc99f0b89be6888a03b8e
Added to database: 6/15/2026, 9:45:03 AM
Last enriched: 6/15/2026, 9:45:13 AM
Last updated: 6/15/2026, 11:09:01 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.