Cybersecurity Threat Campaign Report: Multi-Vector Malware Distribution Network Prepared for Consumer Protection Publication
This report details a large-scale, multi-vector malware distribution campaign spanning 654 connected entities, including IP addresses, domains, and cloud-hosted infrastructure. The cluster represents a coordinated threat operation utilizing several distinct but overlapping malware families, command-and-control nodes, and open directory servers. The campaign involves infrastructure flagged for Mirai botnet activity, backdoor implants, credential stealers, cryptocurrency miners, and remote access trojans, indicating that multiple threat actor groups may be sharing or leasing components of the same underlying infrastructure.
A significant portion of the campaign's delivery infrastructure relies on Cloudflare's free tunneling service, with at least three domains — implementing-theft-metal-justin.trycloudflare.com, staying-heavily-meaning-blowing.trycloudflare.com, and creations-venture-traditional-stainless.trycloudflare.com — flagged for malware hosting, open directory exposure, and automated wget-based download activity tagged as ua-wget and WsgiDAV. These Cloudflare tunnel subdomains are being used as staging servers, likely to distribute malicious payloads to compromised systems while obscuring the true origin of the hosted content behind Cloudflare's legitimate network. The domain allcheat.netlify.app, hosted on Netlify's free platform, has been flagged for hosting an executable file associated with ScarfaceStealer, a credential-harvesting malware. Similarly, teamrising.ae has been flagged for distributing XWorm, an ASCII-encoded remote access trojan capable of keylogging, file exfiltration, and remote desktop control.
The campaign includes a cluster of IP addresses — 103.125.219.204, 206.123.145.26, and 91.235.116.139 — flagged for Mirai botnet activity alongside open directory exposure, suggesting these servers are actively recruiting vulnerable Internet of Things devices into a botnet while simultaneously serving as file distribution points. The domain arilprivate.storexyz.web.id has been explicitly tagged as a botnet domain associated with Mirai. A separate but connected group of nine IP addresses — including 14.236.182.73, 83.224.162.132, 123.31.81.229, 120.157.56.105, 113.176.132.141, 178.50.218.234, 92.40.112.34, 86.150.68.134, and 78.132.114.25 — are all uniformly tagged with backdoor, censys, elf, and sshdkit indicators. The sshdkit tag identifies these servers as nodes deploying a known Linux SSH backdoor toolkit, and their appearance in Censys internet scans suggests they are actively probing public-facing systems for vulnerabilities. The IP address 130.12.180.43 is flagged as a command-and-control monitor node dropped by the Amadey malware loader, and 104.194.152.180 has been tagged as a CoinMiner node also dropped by Amadey, indicating a clear delivery chain in which Amadey infections are being used to deploy both cryptocurrency mining payloads and additional malware stages.
Campaign relationship data reveals interconnected infrastructure clusters operating at high confidence levels of 0.90 across 17 documented cross-entity relationships. One cluster links the domain id3702579photo-image-docs.com to qsve.cyrd.live and blue-oceans.net under the same campaign designation, suggesting these domains serve coordinated phishing or payload delivery roles. A second cluster ties IP addresses 87.121.84.56, 45.205.1.19, 91.92.240.222, and 178.16.52.18 together in the same campaign, indicating shared attack infrastructure. A third cluster connects the domain stau4.com with mvirdi.com, 217.156.65.56, 195.177.94.99, 195.177.94.228, and 144.172.108.207, forming a tightly grouped node set that likely represents a single threat actor's operational block of servers. The domain 5.252.21.239 has also been linked to 80.89.238.200 under the same campaign attribution.
Consumers and organizations who may have encountered any of these domains or IP addresses should take immediate protective action. Do not click on links associated with any of the flagged domains listed in this report, particularly those hosted on trycloudflare.com or netlify.app subdomains with unfamiliar or randomly generated names, as legitimate services do not typically deliver software from such addresses. If you receive unsolicited communications directing you to download files or visit unfamiliar websites, hang up or disengage immediately without clicking any embedded links. You can check whether a domain or IP address has been reported as malicious using free tools such as VirusTotal at virustotal.com, URLhaus at urlhaus.abuse.ch, or Shodan at shodan.io. To report suspicious online activity, file a complaint with the Federal Trade Commission at reportfraud.ftc.gov or with the Federal Communications Commission at fcc.gov/consumers/guides/filing-informal-complaint. Organizations running Linux servers should audit their SSH configurations immediately and check for unauthorized modifications to SSH daemon binaries, particularly if any of the flagged IP addresses appear in server access logs.
This campaign represents a high threat level due to the breadth of malware families deployed, the abuse of trusted hosting platforms to obscure malicious activity, the active exploitation of Linux and IoT devices through the sshdkit and Mirai components, and the presence of credential-stealing and remote access tools capable of causing significant financial and data loss. Recommended next steps include blocking all 654 flagged entities at the network perimeter, submitting all identified domains to Cloudflare and Netlify for abuse review, and conducting endpoint forensic reviews on any systems that may have connected to the identified infrastructure. Security teams should treat any Amadey-related indicators as high priority given that loader's role in deploying both the CoinMiner and command-and-control components identified in this cluster.