Scam and Malware Campaign Report: Multi-Vector Threat Cluster of 662 Connected Entities
This report details a large-scale, multi-vector malicious infrastructure campaign comprising 662 connected entities, including flagged IP addresses, domains, and cloud-hosted malware staging points. The cluster represents several overlapping malware families and delivery mechanisms operating simultaneously, with cross-entity relationships confirmed at a 0.90 confidence level across 17 documented entity pairs. The breadth of this cluster, spanning botnet infrastructure, command-and-control nodes, credential stealers, and backdoor implants, indicates a coordinated threat operation rather than isolated opportunistic activity.
At the core of the infrastructure, the IP address 130.12.180.43 has been flagged for malware activity and tagged as a command-and-control monitor node associated with the Amadey malware loader, which is also linked to the coin-mining payload hosted at 104.194.152.180 bearing the tags CoinMiner, dropped-by-amadey, and the identifier fbf543. Amadey is a well-documented loader-as-a-service tool used to deploy secondary payloads onto compromised systems. Three Cloudflare Tunnel subdomains, specifically implementing-theft-metal-justin.trycloudflare.com, staying-heavily-meaning-blowing.trycloudflare.com, and creations-venture-traditional-stainless.trycloudflare.com, are all flagged for malware and share the tags opendir, ua-wget, and WsgiDAV, indicating they are being used as open directory file servers to stage and distribute malicious files via automated download tools. The domain allcheat.netlify.app, hosted on Netlify, is distributing a payload tagged as ScarfaceStealer, a credential-harvesting tool, while teamrising.ae is flagged for distributing XWorm, a remote access trojan, with encoded ASCII obfuscation.
A separate but connected cluster involves Mirai botnet infrastructure. The IP addresses 103.125.219.204, 206.123.145.26, and 91.235.116.139, along with the domain arilprivate.storexyz.web.id, are all tagged with mirai and opendir, suggesting active Mirai variant staging and distribution. Mirai-family botnets are known to target internet-of-things devices and unpatched routers to build distributed denial-of-service capabilities. Simultaneously, nine IP addresses including 14.236.182.73, 83.224.162.132, 123.31.81.229, 120.157.56.105, 113.176.132.141, 178.50.218.234, 92.40.112.34, 86.150.68.134, and 78.132.114.25 share identical threat tags of backdoor, censys, elf, and sshdkit, indicating a coordinated SSH backdoor deployment campaign targeting Linux systems. The censys tag suggests these hosts have been identified through internet-wide scanning services, and sshdkit is associated with tools that implant persistent backdoors into SSH daemon processes.
The cross-entity relationship data reveals two distinct sub-clusters linked by same-campaign relationships at 0.90 confidence. The first connects the domains id3702579photo-image-docs.com, qsve.cyrd.live, and blue-oceans.net, suggesting a shared phishing or document-lure campaign using convincing photo and document-themed domain names. The second sub-cluster ties IP addresses 87.121.84.56, 45.205.1.19, 45.13.239.70, 91.92.240.222, and 178.16.52.18 together as co-participants in a single campaign, likely serving as rotating command-and-control or payload delivery nodes. A third grouping connects stau4.com to IPs 217.156.65.56, 195.177.94.99, 195.177.94.228, and the domain mvirdi.com, with the latter also linked to 144.172.108.207 alongside 217.156.65.56, forming a tightly associated infrastructure cluster that may represent a shared hosting or bulletproof hosting arrangement used across multiple campaign phases.
Consumer protection is critical given the scope and sophistication of this infrastructure. If you receive unsolicited messages, emails, or links referencing any of the domains listed in this report, do not click any links, do not download attachments, and do not provide any personal or financial information. If contacted by phone, hang up immediately. You can verify whether a domain or IP address has been reported as malicious by checking resources such as VirusTotal at virustotal.com, URLVoid at urlvoid.com, or the Google Safe Browsing transparency report at transparencyreport.google.com. To report suspicious contact or fraudulent activity, file a complaint with the Federal Trade Commission at reportfraud.ftc.gov or with the Federal Communications Commission at fcc.gov/consumers/guides/filing-informal-complaint. If you believe your device may have been compromised, disconnect it from the internet, run a reputable antivirus scan, and contact your internet service provider.
In summary, this 662-entity cluster represents a high-threat, multi-family malware campaign combining Amadey loader activity, Mirai botnet staging, SSH backdoor implantation, credential theft via ScarfaceStealer, remote access trojan distribution via XWorm, and coordinated phishing infrastructure. The 0.90 confidence same-campaign relationships across 17 entity pairs confirm deliberate infrastructure coordination. Recommended next steps include reporting all identified domains and IP addresses to abuse contacts and relevant hosting providers, submitting indicators of compromise to threat intelligence sharing platforms, and escalating the Cloudflare and Netlify-hosted assets to those platforms' abuse teams for immediate takedown review.