Ian

@[email protected]
2 Followers
48 Following
2 Posts
Threat Researcher @ Critical Start. Ex security analyst/engineer. Connector of Dots, Writer of Reports, & Author of Documentation. Opinions are mine alone.
Twitterhttps://twitter.com/mnteye
IanJun 25, 2024

Been awhile since the last #ArechClient2 / #SectopRAT #malware #infrastructure update. Let's take a look:

A new cluster has formed in Germany using HETZNER-AS (24940):
/167.235.102.163
/144.76.163.55 on port 15648 instead of 15647 for comms
/144.76.163.20 as above

Back in early May a new IP, this time in North Holland was observed: /185.73.125.96 - XHOST-INTERNET-SOLUTIONS (208091). It remains active.

A number of new Russian IPs have been added with Prospero:
/91.215.85.23
/91.215.85.26

And Medialand:
/45.141.87.16
/45.141.87.218

A number of IPs previously tracked have either gone offline completely or have stopped serving the "EncryptionStatus" banner:

/194.26.135.180
/152.89.217.229
/176.111.174.142
/2.57.149.77
/185.161.248.159