Threats Tagged 'bulletproof-hosting'

A modular Malware-as-a-Service crypto-stealing platform called Needle has been discovered actively targeting cryptocurrency wallets through two main attack vectors: a browser extension spoofer targeting MetaMask, Phantom, and Trust Wallet, and a Rust-based desktop agent impersonating Exodus, Trezor, and Ledger applications. The campaign compromised 1,932 victims, including 111 browser extension users and 1,821 desktop sessions. The Rust agent embedded its C2 API key without protection, enabling complete enumeration of victims and withdrawal configurations across six blockchains. The operator's EVM hot wallet moved approximately $148 in ETH to cold storage. The panel's React SPA performed authentication entirely client-side, and the same credential used by infected machines could potentially redirect future auto-withdrawals. Infrastructure is hosted on ASN 202412, a known bulletproof hosting provider in Amsterdam.

A multi-domain traffic distribution system (TDS) operation was discovered, centered around the domain toxicsnake-wifes.com. The infrastructure serves as a commodity cybercrime TDS farm, routing victims to phishing, scams, or malware payloads. The operation uses a first-stage JavaScript loader, followed by a second-stage that attempts to fetch upstream payloads. The cluster shares common WHOIS, DNS, and hosting patterns, indicative of bulletproof VPS usage. Multiple burner domains with similar tradecraft were identified, suggesting an organized operator cluster. The infrastructure employs obfuscation, dynamic remote injection, and disposable registration techniques. While the main payload was unreachable during analysis, historical evidence suggests the delivery of malicious content.

MediumCampaignGermanyFranceUnited Kingdom+5#cybercrime#obfuscation#javascript