Scam and Malware Campaign Report: Multi-Vector Threat Cluster of 662 Connected Entities
This report documents a large-scale, multi-vector malware and infrastructure abuse campaign comprising 662 connected entities, including malicious IP addresses, domains, and cloud-hosted payloads. The campaign is characterized by several distinct but overlapping threat families operating in coordination, including the Amadey dropper, Mirai botnet variants, SSH backdoor toolkits, a coinmining payload, and credential-stealing malware. The breadth and technical diversity of this cluster indicate a sophisticated, ongoing operation with multiple stages of infection and persistence.
A significant subset of the infrastructure involves Cloudflare Tunnel subdomains, specifically implementing-theft-metal-justin.trycloudflare.com, staying-heavily-meaning-blowing.trycloudflare.com, and creations-venture-traditional-stainless.trycloudflare.com, all flagged for open directory exposure, wget-based user agent activity, and WsgiDAV server usage. These subdomains are being abused to host and distribute payloads while hiding the true origin infrastructure behind Cloudflare's network, a known evasion technique. The IP address 130.12.180.43 has been identified as a command-and-control node with tags indicating it is monitored as a C2 server and used in conjunction with Amadey-dropped payloads. The coinminer payload associated with IP 104.194.152.180, also dropped by Amadey and tagged with the identifier fbf543, suggests that compromised systems are being enrolled in cryptocurrency mining operations without user consent. The domain allcheat.netlify.app, hosted on a legitimate cloud platform, is distributing an executable identified as ScarfaceStealer, a credential-harvesting tool, while teamrising.ae is distributing XWorm through ASCII-encoded payloads.
The Mirai botnet component of this cluster involves IP addresses 103.125.219.204, 206.123.145.26, and 91.235.116.139, as well as the domain arilprivate.storexyz.web.id, which has been flagged as a botnet domain with open directory exposure. Mirai is a well-documented malware family that targets internet-connected devices, particularly routers and IoT hardware, converting them into nodes in a distributed botnet used for denial-of-service attacks and further payload propagation. A separate but coordinated SSH backdoor campaign is linked to nine IP addresses — 14.236.182.73, 83.224.162.132, 123.31.81.229, 120.157.56.105, 113.176.132.141, 178.50.218.234, 92.40.112.34, 86.150.68.134, and 78.132.114.25 — all flagged with tags for backdoor implants, ELF binaries, sshdkit, and Censys scanning activity. The presence of Censys tags indicates these IPs have been identified through internet-wide scanning, suggesting the operators are actively probing for vulnerable SSH services across global address space.
The cross-entity relationship data reveals 17 confirmed same-campaign linkages, all assessed at 0.90 confidence. A tightly connected sub-cluster centers on stau4.com, which is directly linked to IP addresses 217.156.65.56, 195.177.94.99, and 195.177.94.228, as well as the domain mvirdi.com and IP 144.172.108.207. This group of six entities shares campaign infrastructure at high confidence, suggesting stau4.com and mvirdi.com serve as coordination or distribution hubs for this subset of the operation. A second relationship cluster connects 87.121.84.56 and 45.205.1.19 to three shared endpoints — 45.13.239.70, 91.92.240.222, and 178.16.52.18 — again at 0.90 confidence, indicating shared hosting or routing infrastructure. A third linkage connects id3702579photo-image-docs.com to both qsve.cyrd.live and blue-oceans.net at the same confidence level, suggesting these domains are part of a phishing or document-lure distribution chain. The IP pair 5.252.21.239 and 80.89.238.200 rounds out the relationship data as an additional same-campaign pairing.
Consumers and organizations who encounter any of the domains or IP addresses listed in this cluster should take immediate protective action. Do not click links, open attachments, or download files associated with any of the flagged domains, including those hosted on otherwise trusted platforms such as Cloudflare, Netlify, or similar cloud services, as threat actors routinely abuse legitimate infrastructure to evade detection. If you receive unsolicited contact directing you to any of these resources, hang up or close the communication immediately. To check whether a domain or IP address has been flagged for malicious activity, use free tools such as VirusTotal at virustotal.com, URLhaus at urlhaus.abuse.ch, or Cisco Talos Intelligence at talosintelligence.com. Report suspicious domains, phishing attempts, and scam contacts to the Federal Trade Commission at reportfraud.ftc.gov and to the Federal Communications Commission at fcc.gov/consumers/guides/filing-informal-complaint. Organizations should ensure that SSH services are not exposed to the public internet without multi-factor authentication and that endpoint detection tools are updated with signatures for Amadey, Mirai, XWorm, and ScarfaceStealer.
This cluster represents a high threat level. The combination of credential theft via ScarfaceStealer, persistent SSH backdoors across nine IPs, coinminer deployment, Mirai botnet recruitment, and coordinated C2 infrastructure across 662 entities indicates a well-resourced and active threat actor or group operating multiple parallel campaigns from shared infrastructure. Recommended next steps include blocking all listed IPs and domains at the network perimeter, submitting indicators to abuse contacts for Cloudflare and Netlify, and escalating the stau4.com and mvirdi.com cluster to domain registrar abuse channels for investigation and potential takedown.