2.2K Followers
51 Following
250 Posts

RE: https://infosec.exchange/@spamhaus/116804685911276876

New loader in town SolarisLoader spotted by @spamhaus and abuse.ch 🔥

📡 SolarisLoader IOCs (botnet C2 servers):
https://threatfox.abuse.ch/browse/tag/SolarisLoader/

📄 SolarisLoader malware samples:
https://bazaar.abuse.ch/browse/tag/SolarisLoader/

⚙️ SolarisLoader configs are available:
https://github.com/spamhaus/CTI/tree/main/solarisloader

Our platforms were recently targeted by a large-scale web scraping operation originating from devices that are apparently participating in residential proxy networks 🏘️ 🖥️ . The vast majority of these requests were successfully blocked by our existing mitigations 🛑 . However, the sheer volume of traffic caused temporary disruptions to both the MalwareBazaar and URLhaus platforms ⚠️

To put the scale into perspective, our web platforms typically handle approximately 1,500 requests per second (excluding traffic to our community API and commercial APIs). During this incident, the scraping operation leveraged more than 135,000 unique IP addresses, most of which could be identified as nodes in residential proxy networks 🔍

The offender attempted to remain undetected by sending very few requests (less than 5) per IP address to the platforms 🕵

Below are the top networks sourcing this traffic (by unique IPs):

2,961 AS25019 SAUDINETSTC 🇸🇦
1,995 AS206206 KNET 🇮🇶
1,984 AS9121 TTNet 🇹🇷
1,954 AS3215 Orange 🇫🇷
1,871 AS12322 PROXAD 🇫🇷
1,550 AS5410 BOUYGTEL-ISP 🇫🇷
1,531 AS37705 TOPNET 🇹🇳
1,413 AS8193 BRM-AS 🇺🇿

We are sharing details of the involved IPs, along with the relevant timestamps, here for your awareness ⤵️

https://raw.githubusercontent.com/abusech/misc/refs/heads/main/2026-06-22_Residential-Proxy-Scraping-IPs.csv

Botnet C2 tied to an unidentified #malware family trying to hide as FortiGate device 😜

🌐 Domain: az2030port.duckdns .org
📡 C2: 178.16.55.28:2030 ➡️ Omegatech LTD🇳🇱
🔐 SSL certificate: FortiGate, O=Fortinet Ltd.

Corresponding malware samples ⤵️
https://hunting.abuse.ch/hunt/6a285c89c73e5/178.16.55.28/

My favorite Remus botnet C2 domain so far 😄

havelbeenpwned .net ⤵️
NICENIC INTERNATIONAL🇨🇳

103.211.219.238:4219⤵️
AS394695 PUBLIC-DOMAIN-REGISTRY 🇮🇳

Malware sample:
https://bazaar.abuse.ch/sample/75fce6ec4b0815d7ccc9d87c2687c3c379c8e446739b3302b72688dd632c9f9e/

More #Remnus IOCs available on ThreatFox 🦊
https://threatfox.abuse.ch/browse/malware/win.remus/

/cc @troyhunt

Malspam 📧 targeting Spanish users 🇪🇸

Email ➡️ geo filter ➡️ mediafire ➡️ iso ➡️ vbs

1st stage - geo filter 🛑
vmi3228488.contaboserver .net Contabo 🇩🇪

2nd stage - payload 📄
https://urlhaus.abuse.ch/url/3824487/

Dropped iso:
https://bazaar.abuse.ch/sample/faaa4d005314440dfd7ed5fa2f522e1a2642f08ec3bf0c1e2779a39bf4268349/

Botnet C2:
📡 54.197.208.68 Amazon 🇺🇸

SparkRAT ➡️ ChromeSetup.msi ➡️ FUD 🔥

msftconnecttest .xyz ⤵️
Creation Date: 2024-12-02 ⤵️
After more than a year, this domain still has a detection rate of 1/93 🤯

Pointing to ⤵️
154.31.222.217:443 ➡️ DControl

Chinese? 🇨🇳
lang="zh-cn"

Malware sample:
https://bazaar.abuse.ch/sample/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c/

Proofpoint recently identified a fake RMM (Remote Monitoring and Management Tool) called #TrustConnect and #DocConnect🔎💻 Pivoting the threat in our collection reveals that the threat actors spread the same malware under additional names, including:

➡️SoftConnect
➡️HardConnect
➡️AxisControl

It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️

What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪

We track the threat on our platforms as #FakeRMM ⤵️

IOCs on ThreatFox:
🦊 https://threatfox.abuse.ch/browse/tag/FakeRMM/

Malware samples:
📄 https://bazaar.abuse.ch/browse/tag/FakeRMM/

Rogue #ScreenConnect RMM 🕵️‍♂️

Botnet C2:
📡 no.windowupdateservice .com
📡 relay.windowupdateservice .com
📡193.26.115.51:8041

Payload delivery URL:
🌐 https://urlhaus.abuse.ch/url/3782937/

Malware sample 📄:
https://bazaar.abuse.ch/sample/77dc5435a2572a8d608e6285da887fd9aa3b16f8a9ea8c0520908990ae44015c/

More ScreenConnect RMM IOCs ⤵️
https://threatfox.abuse.ch/browse/tag/ScreenConnect/

URLhaus | http://193.26.115.51:8040/bin/support.client.exe?i=&e=Support&y=Guest&r=

URLhaus is a project operated by abuse.ch with the purpose of sharing malicious URLs that are being used for malware distribution

.ru serious? 🇷🇺 ccTLD .ru had an unbelievable +3741% ⏫ in #botnet C&C domains, placing it #1 for the most abused ccTLD in the latter half of 2025. This activity can be attributed almost entirely to #clearfake, a malicious JavaScript framework.

Learn more in the Botnet Threat Update Jul - Dec 2025 ⤵️ ⤵️
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/

#ccTLD #BotnetCC #ThreatIntel

Yet another RAT in town: RemoteX 🖥️

🪲 Dropped by Amadey
📃 Written in Golang
💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽)
🌐 Uses WebSocket for C2 communication
🕵️‍♂️ Unauthenticated RAT admin panel 🤡

Botnet C2:
📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧)

Malware sample ⤵️
https://bazaar.abuse.ch/sample/d631655ad3ef9e7c854c86ae399a9c830bef784c6a51468d192f65a79bbb7c8b/