urlscan.io

🇸🇦 🇮🇷 𝗡𝗲𝘄 𝗠𝗶𝗱𝗱𝗹𝗲 𝗘𝗮𝘀𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗿𝗲𝗽𝗼𝗿𝘁: 𝟭,𝟯𝟱𝟬+ 𝗖𝟮 𝗦𝗲𝗿𝘃𝗲𝗿𝘀 𝗠𝗮𝗽𝗽𝗲𝗱 𝗔𝗰𝗿𝗼𝘀𝘀 𝟵𝟴 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 Over a three-month window, we mapped more than 1,350 active C2 servers operating across 98 infrastructure providers in 14 Middle Eastern countries, covering telecoms, shared hosting, and VPS environments. 👉 Read the full report: https://t.co/Bnfwe2Yufq Here's what the data shows: → A single telecom carrier accounts for nearly 72% of all detected regional C2 activity, most of it tied to compromised customer endpoints rather than provider-level abuse → C2 infrastructure makes up over 96% of all observed malicious artifacts in the region → Tactical RMM leads the malware family breakdown with 92 unique C2 IPs, followed by Keitaro TDS (71) and Acunetix (38) → The malware mix covers a wide range of attack types - IoT botnets (Mozi, Hajime, Mirai), remote access tools (AsyncRAT, Sliver, Cobalt Strike), active scanning (Acunetix), and phishing infrastructure (Gophish, Keitaro TDS) → Campaigns in the dataset include Eagle Werewolf espionage operations, the DYNOWIPER destructive campaign targeting Poland's energy sector, and RondoDox botnet exploitation infrastructure on Iranian hosting The main takeaway is that malicious infrastructure in the region is not evenly spread. A small set of providers keeps showing up across unrelated campaigns and malware families, which is where the tracking value is. Provider-level visibility is what lets defenders get ahead of that pattern, rather than reacting to individual indicators that rotate daily. Full breakdown, including infrastructure observables, HuntSQL queries, and campaign examples, is in the report 👇 https://t.co/Bnfwe2Yufq

🚨 NEW RESEARCH: xlabs_v1 DDoS-for-Hire IoT Botnet Exposed - One Open Directory. An Entire Operation Revealed. https://t.co/Iutpdqpw2r The operator built a full commercial DDoS-for-hire operation. Tiered pricing, 21 flood variants, competitor-killing routines baked in. Then left the whole toolkit on a public server with no login. https://t.co/aojFWxKETZ AttackCapture tool had it indexed before they noticed. Key findings: - Botnet branded xlabs_v1, operator handle Tadashi, targeting game servers and Minecraft hosts - 21 flood variants including RakNet and OpenVPN-shaped UDP to dodge common filters - TCP/5555 observed open on 4M+ hosts in the past 180 days, any running ADB is a potential target - ChaCha20 encryption broken via known-plaintext, full nonce reuse across all 16 calls - C2, staging, distribution, and Monero cryptojacking all inside one bulletproof /24 in the Netherlands 👉 Full IOCs, MITRE mapping, and HuntSQL queries: https://t.co/Iutpdqpw2r

🚨 🇷🇺 We tracked 1,252 active C2 servers across 165 Russian hosting providers over 90 days. Here's what's running inside those networks. C2 traffic accounts for 88.6% of all observed malicious artifacts. The rest splits between malicious open directories (5.3%), phishing infrastructure (4.9%), and public IOCs (1.2%). The hosting concentration is notable: - TimeWeb leads with 311 C2 detections - WebHost1 follows with 140, REG[.]RU with 138 - PROSPERO OOO hosts 80 C2s alongside 30 malicious open directories and 50 phishing sites - Yandex[.]Cloud carries the widest malware diversity: 11 distinct families across 39 C2 endpoints On the malware side: - Keitaro dominates with 587 unique C2 IPs - Hajime (191), Mozi (48), and Mirai (13) show IoT botnet infrastructure is still active - Cobalt Strike, Sliver, and Ligolo-ng are all present across the ecosystem Specific campaigns tied to this infrastructure include Latrodectus via ClickFix on TimeWeb, Lumma Stealer on REG[.]RU, Remcos RAT via SmartApeSG on Hosting Technology LTD, and intrusion activity attributed to Head Mare inside LLC Smart Ape. Full research with Host Radar breakdowns and HuntSQL queries 👇 https://t.co/beGsn80vxO #ThreatHunting #ThreatIntelligence #C2 #Malware #CyberSecurity