Threat Campaign Narrative: Multi-Vector Malware Infrastructure Cluster (683 Entities)
A large-scale malware campaign encompassing 683 connected entities has been identified, involving a diverse and layered infrastructure that includes command-and-control servers, botnet distribution nodes, credential-stealing payloads, and open directory staging hosts. At the core of this cluster is IP address 130.12.180.43, flagged for malware activity and tagged as a command-and-control monitor node dropped by the Amadey loader, a well-documented malware-as-a-service platform used to distribute secondary payloads. A second Amadey-linked entity, 104.194.152.180, carries the additional tags CoinMiner and fbf543, indicating that compromised machines are being used for unauthorized cryptocurrency mining following initial infection. These two nodes suggest an organized threat actor leveraging Amadey to distribute multiple payload types across a broad victim base.
A distinct but connected sub-cluster involves Cloudflare Tunnel infrastructure being abused for malware staging. Three domains — implementing-theft-metal-justin.trycloudflare.com, staying-heavily-meaning-blowing.trycloudflare.com, and creations-venture-traditional-stainless.trycloudflare.com — are all flagged for malware and share the tags opendir, ua-wget, and WsgiDAV. These tags indicate that the actors are hosting open directory file servers accessible via automated wget-based retrieval, using the WsgiDAV server framework to serve malicious files. Abusing Cloudflare Tunnel subdomains allows the operators to obscure the true origin of their infrastructure while benefiting from Cloudflare's trusted reputation, making detection and blocking more difficult for conventional security filters.
A significant Mirai botnet component is also present within this cluster. IP addresses 103.125.219.204 and 206.123.145.26, along with the domain arilprivate.storexyz.web.id, are all tagged with mirai and opendir, indicating active botnet recruitment and file staging activity. Mirai and its variants are primarily used to compromise Internet of Things devices and internet-exposed Linux systems, enlisting them into botnets capable of conducting distributed denial-of-service attacks or serving as proxy infrastructure. The presence of arilprivate.storexyz.web.id as a dedicated botnet domain with an open directory suggests that payload files are being actively served to newly recruited devices. Additionally, nine IP addresses — including 14.236.182.73, 83.224.162.132, 123.31.81.229, 120.157.56.105, 113.176.132.141, 178.50.218.234, 92.40.112.34, 86.150.68.134, and 78.132.114.25 — are all flagged with the tags backdoor, censys, elf, and sshdkit. The sshdkit tag identifies a known Linux backdoor toolkit that patches or replaces the SSH daemon to harvest credentials, while the censys tag indicates these hosts have been observed via internet-wide scanning activity, suggesting they are either scanning for victims or have been indexed by threat researchers.
The campaign's cross-entity relationship data reveals several tightly coordinated sub-campaigns operating at 0.90 confidence. The domain emacra.com is linked to both 5.252.21.239 and securrty.cfd as same-campaign infrastructure, with the latter domain's deliberate misspelling of the word "security" being a common phishing and typosquatting tactic. Separately, id3702579photo-image-docs.com — a domain constructed to impersonate a legitimate photo or document service — is linked at high confidence to both qsve.cyrd.live and blue-oceans.net, suggesting a coordinated credential harvesting or document-lure phishing operation. A third sub-cluster connects IP addresses 87.121.84.56, 45.205.1.19, 91.92.240.222, and 178.16.52.18 in a same-campaign relationship, indicating shared operational control over these four hosts. Finally, stau4.com is linked to 217.156.65.56, mvirdi.com, and 195.177.94.99, forming another operationally unified node group. Two additional flagged entities round out the cluster: teamrising.ae, flagged for XWorm remote access trojan delivery using ASCII-encoded payloads, and allcheat.netlify.app, hosted on Netlify's legitimate infrastructure and flagged for distributing ScarfaceStealer, an executable-based credential and data theft tool likely targeting gamers through fake cheat software.
Consumer impact from this type of infrastructure is broad. Victims who interact with any of the lure domains — including those impersonating photo services or security-themed sites — risk having credentials stolen, devices enrolled in botnets, or systems silently loaded with cryptocurrency miners or remote access trojans. The use of trusted hosting platforms such as Cloudflare and Netlify increases the likelihood that consumers and automated filters will not recognize the threat before engagement. Individuals who have downloaded files from any of the open directory hosts or clicked links associated with the identified domains should consider their devices compromised and take immediate action.
Consumers who believe they have been contacted by or have visited any infrastructure associated with this campaign should take the following steps immediately. Do not click any links received via email, text, or social media that direct to unfamiliar domains, and do not download files from sites with auto-generated or suspicious subdomain names. If contacted by phone in connection with any of these services, hang up without providing any personal information. Report suspected fraud to the Federal Trade Commission at reportfraud.ftc.gov and file complaints about suspicious communications with the Federal Communications Commission at fcc.gov/consumers/guides/filing-informal-complaint. To verify whether a domain or IP address has been reported as malicious, consumers and IT professionals can consult free tools such as VirusTotal at virustotal.com, Cisco Talos Intelligence at talosintelligence.com, or URLScan at urlscan.io. Businesses should ensure that SSH access is secured with key-based authentication and that internet-exposed devices are patched against known Mirai and sshdkit exploit vectors.
This cluster represents a high threat level. The combination of Amadey-based payload delivery, active Mirai botnet recruitment, nine confirmed sshdkit backdoor hosts, credential-stealing tools targeting both general users and gamers, and at least four distinct coordinated sub-campaigns points to a sophisticated, multi-actor or well-resourced single-actor operation with broad targeting objectives. Recommended next steps include blocking all 683 identified entities at the network perimeter, submitting the identified domains to Cloudflare and Netlify for abuse review, and reporting the cluster to relevant national cybersecurity authorities including CISA at cisa.gov/report.