Cybersecurity Threat Campaign Report: Multi-Vector Malware Distribution Network
Analysts have identified a cluster of 25 interconnected malicious entities operating across multiple coordinated malware distribution campaigns. The infrastructure spans domains, IP addresses, and cloud storage endpoints across geographies including Russia (markway.ru), Hong Kong-routed Alibaba Cloud infrastructure (klsmw.oss-cn-hongkong.aliyuncs.com), and numerous anonymized hosting providers. The campaign targets both Windows and macOS users, with macOS-specific payloads appearing across at least six entities including 77.90.185.24, 46.226.162.217, download-api-endpoint.com, endpoint-api-node.com, thickentributary.digital, and stradisamplix.com. The breadth and cross-platform nature of this infrastructure indicate a well-resourced threat operation with multiple delivery mechanisms running in parallel.
The first major sub-cluster is organized around ads-storage.biz, which serves as a command-and-control hub linking five other entities with same-campaign confidence scores of 0.82. These entities — 158.94.209.95, 62.60.226.203, 91.92.241.242, ggc-partners.top, and indexsearchfindresult.com — are all tagged as dropped-by-GCleaner, a known malware dropper that installs secondary payloads after initial infection. The IP address 62.60.226.203 is particularly dangerous, carrying tags for CoinMiner, spyware, dropper, and malware, and is known to pull payloads from GitHub and GitLab repositories to evade static detection. The indexsearchfindresult.com domain is flagged as both a command-and-control node and a ClickFix delivery point, suggesting it is used to redirect victims through fake browser fix prompts that trigger malware execution.
The second major sub-cluster centers on markway.ru, a Russian-hosted domain tagged with the Convagent trojan, and its associated entity transporteloggi.com. These two domains are linked at 0.80 confidence to 77.91.96.122 (an Android APK trojan distributor), klsmw.oss-cn-hongkong.aliyuncs.com (tagged as SilverFox trojan), and dpsradars.shop. The domain novacinder.digital bridges into this cluster with a 0.76 confidence link to transporteloggi.com and a stronger 0.86 confidence link to download-api-endpoint.com, which along with endpoint-api-node.com forms a pair of macOS-targeted download nodes. The SilverFox trojan distributed through Alibaba Cloud object storage is a particularly notable element, as abuse of legitimate cloud storage services allows malware to bypass domain-based blocklists.
A third distinct threat thread involves the ClickFix and AMOS infostealer delivery chain operating through stradisamplix.com and api.aloparatoriuz.com, both tagged for macOS malware downloads. These domains deploy AMOS, a macOS-focused information stealer capable of harvesting browser credentials, cryptocurrency wallets, and system data. The domain 77.90.185.24 amplifies this threat by supporting multiple social engineering lure variants including ClearFake, GDriveVerify, NewContract, and Odyssey — all fake browser or document verification pages designed to trick users into running malicious scripts. The domain ssagntroplexa.com, tagged with ConnectWise and malware, suggests that at least one component of this campaign abuses legitimate remote access tooling, a tactic increasingly used to maintain persistent access to victim machines after initial compromise. Additionally, duobeam.com deploys a NodeJS and JavaScript-based infostealer, while filehost.sbs serves as a traffic distribution system for malvertising campaigns that redirect users to malware-hosting pages.
Consumer Impact and Protection Advice
Consumers who have interacted with any of these domains, clicked on fake browser update prompts, or downloaded files from pages mimicking Google Drive, contract portals, or software update screens may have had credentials, financial account data, or cryptocurrency wallet information stolen. macOS users are at heightened risk given the volume of AMOS and macOS-specific payloads in this cluster. If you are contacted by any service directing you to one of these domains, do not click any links, do not download any files, and do not follow on-screen instructions to copy and paste commands into your terminal or run scripts. Hang up immediately on any phone-based component of such a scheme. To verify whether a domain or IP address is associated with malicious activity, consumers and IT professionals can query public threat intelligence resources such as VirusTotal (virustotal.com), URLhaus, or the Cisco Talos Intelligence database before visiting any unfamiliar link. Report suspected fraud to the Federal Trade Commission at reportfraud.ftc.gov and to the FCC at fcc.gov/consumers/guides/filing-informal-complaint. If you believe your device has been compromised, disconnect it from the network immediately and contact a qualified cybersecurity professional.
Threat Level Assessment and Recommended Next Steps
This cluster represents a high-severity, multi-platform threat operation with active command-and-control infrastructure, cross-platform payloads, and abuse of legitimate services including Alibaba Cloud, GitHub, GitLab, and remote access tools. The interconnected same-campaign relationships across 19 entity pairs confirm coordinated operation rather than isolated incidents. Network defenders should immediately block all 25 entities at the perimeter firewall and DNS filtering layer. Endpoint detection tools should be updated to detect AMOS, SilverFox, Convagent, and GCleaner dropper signatures. Organizations using ConnectWise or similar remote management tools should audit active sessions for unauthorized access. Consumer-facing agencies should issue public advisories warning of ClickFix and fake browser update lures targeting both Windows and macOS users. Ongoing monitoring of novacinder.digital and the download-api-endpoint.com and endpoint-api-node.com pair is warranted given their active role in bridging the two primary sub-clusters.