Scam and Malware Campaign Report: Multi-Vector Threat Cluster of 679 Connected Entities
This report documents a large-scale, multi-vector malware and scam campaign comprising 679 connected entities, including flagged IP addresses, malicious domains, and cloud-hosted infrastructure. The cluster has been identified through shared infrastructure analysis, co-reported entities, and cross-domain relationship mapping. The campaign spans several distinct but interconnected threat families, including the Amadey dropper, Mirai botnet variants, sshdkit backdoor tooling, XWorm remote access trojan, ScarfaceStealer, and CoinMiner payloads. The breadth of threat families and the high confidence level (0.90) assigned to 15 of the 16 cross-entity relationships strongly suggest coordinated operation by one or more organized threat actors sharing backend infrastructure and distribution methods.
A significant node in this campaign is the IP address 130.12.180.43, flagged for malware and tagged as both a command-and-control monitor and a payload dropped by the Amadey loader. Amadey is a well-documented malware-as-a-service loader used to deploy secondary payloads, and its presence here connects directly to 104.194.152.180, which is also tagged as dropped-by-amadey and additionally associated with CoinMiner activity under the identifier fbf543. This indicates that once a victim machine is compromised via the Amadey loader, it is being enrolled in cryptocurrency mining operations without the user's knowledge or consent. Three Cloudflare Tunnel subdomains — implementing-theft-metal-justin.trycloudflare.com, staying-heavily-meaning-blowing.trycloudflare.com, and creations-venture-traditional-stainless.trycloudflare.com — are all flagged for malware and share the tags opendir, ua-wget, and WsgiDAV, indicating they are being used as open directory servers hosting malicious files retrieved via automated wget-based download scripts, likely serving as staging infrastructure for payload delivery.
A separate but connected cluster involves Mirai botnet infrastructure. The IP addresses 103.125.219.204, 206.123.145.26, and 91.235.116.139 are all flagged with mirai and opendir tags, and the domain arilprivate.storexyz.web.id is explicitly tagged as a botnet domain associated with Mirai. Mirai and its variants are used to compromise Internet of Things devices and Linux-based servers, recruiting them into botnets for distributed denial-of-service attacks or further payload distribution. Nine additional IP addresses — including 14.236.182.73, 83.224.162.132, 123.31.81.229, 120.157.56.105, 113.176.132.141, 178.50.218.234, 92.40.112.34, 86.150.68.134, and 78.132.114.25 — are uniformly tagged with backdoor, censys, elf, and sshdkit, meaning they have been identified through Censys internet scanning as running Linux ELF binaries associated with sshdkit, a tool used to implant SSH backdoors on compromised servers, enabling persistent unauthorized access.
The cross-entity relationships reveal additional coordinated sub-campaigns operating under shared infrastructure. The domain stau4.com is linked at 0.90 confidence to mvirdi.com, 217.156.65.56, and 195.177.94.99, forming a tightly connected node that likely serves as a shared command or redirect hub. Similarly, the domain emacra.com is linked at 0.90 confidence to both 5.252.21.239 and securrty.cfd — notably, the domain securrty.cfd appears to impersonate a legitimate security brand through deliberate typosquatting, a common tactic in phishing and credential harvesting campaigns. The domain id3702579photo-image-docs.com is linked to both qsve.cyrd.live and blue-oceans.net at 0.90 confidence, a naming pattern consistent with fake document or photo-sharing lure pages used in phishing. A further cluster connects 87.121.84.56 and 45.205.1.19 to three shared destinations — 45.13.239.70, 91.92.240.222, and 178.16.52.18 — suggesting a load-balanced or redundant delivery architecture. The domain teamrising.ae, registered under the United Arab Emirates country-code TLD, is flagged for XWorm, an ASCII-encoded remote access trojan, while allcheat.netlify.app abuses Netlify's free hosting platform to distribute ScarfaceStealer, a credential-stealing malware typically targeting browser-stored passwords, cryptocurrency wallets, and session tokens.
Consumers who encounter any of the domains, links, or contact attempts associated with this cluster are strongly advised to take the following protective steps. Do not click any links received via unsolicited email, text message, or social media that reference any of the domains identified in this report, including securrty.cfd, blue-oceans.net, id3702579photo-image-docs.com, allcheat.netlify.app, or teamrising.ae. If contacted by anyone directing you to these resources, hang up or disengage immediately and do not provide personal information, login credentials, or financial data. To verify whether a domain or IP address has been flagged as malicious, consumers and IT professionals can use free lookup tools such as VirusTotal (virustotal.com), Cisco Talos Intelligence (talosintelligence.com), or URLVoid. Suspicious activity related to this campaign should be reported to the Federal Trade Commission at reportfraud.ftc.gov and to the Federal Communications Commission at fcc.gov/consumers/guides/filing-informal-complaint. Victims who believe their systems may have been compromised should disconnect affected devices from the network, run a reputable malware scanner, change all passwords from a clean device, and contact their financial institutions if any account credentials may have been exposed.
This cluster represents a high-severity, multi-family threat campaign with infrastructure spanning multiple countries, abuse of legitimate cloud platforms including Cloudflare and Netlify, and deployment of at least six distinct malware families targeting both consumer devices and server infrastructure. The coordinated nature of the cross-entity relationships, the consistent 0.90 confidence scores, and the diversity of attack vectors indicate a sophisticated and ongoing operation. Recommended next steps include submission of all identified indicators of compromise to relevant platform abuse teams — including Cloudflare and Netlify — as well as referral to CISA and relevant national cybersecurity agencies for further investigation. Network defenders should block all flagged IP addresses and domains at the perimeter and review SSH access logs for evidence of sshdkit-related compromise.