Threat Campaign Report: Multi-Vector Malware Infrastructure Cluster Prepared for Consumer Protection Publication
This report details a large-scale malicious infrastructure cluster comprising 687 connected entities, including flagged IP addresses, command-and-control domains, and malware distribution endpoints. The campaign is notable for its operational diversity, employing at least four distinct malware families — Amadey, Mirai, XWorm, and ScarfaceStealer — alongside SSH backdoor toolkits and cryptocurrency mining payloads. The breadth of this cluster, combined with high-confidence cross-entity relationship scores of 0.90 across 16 documented relationships, indicates a coordinated threat operation rather than isolated or unrelated incidents. The infrastructure spans multiple hosting providers and geographic regions, suggesting deliberate redundancy designed to evade takedown efforts.
At the core of this campaign is a network of command-and-control and payload-delivery nodes operating across overlapping sub-clusters. The IP address 130.12.180.43 has been flagged as a command-and-control monitor node associated with the Amadey malware loader, which also dropped the cryptocurrency miner payload observed at 104.194.152.180 (tagged CoinMiner, fbf543, dropped-by-amadey). Three Cloudflare Tunnel subdomains — implementing-theft-metal-justin.trycloudflare.com, staying-heavily-meaning-blowing.trycloudflare.com, and creations-venture-traditional-stainless.trycloudflare.com — have all been flagged for malware delivery, sharing identical tags of opendir, ua-wget, and WsgiDAV. This pattern indicates attackers are abusing Cloudflare's free tunneling service to host open directory listings from which additional malware payloads are fetched using automated wget-based user agents. The domain arilprivate.storexyz.web.id, hosted on Indonesian infrastructure, functions as a dedicated botnet domain tied to Mirai activity alongside the IP addresses 103.125.219.204 and 206.123.145.26, and is further connected through shared campaign attribution to 91.235.116.139.
A distinct sub-cluster focuses on SSH-based backdoor compromise. Nine IP addresses — 14.236.182.73, 83.224.162.132, 123.31.81.229, 120.157.56.105, 113.176.132.141, 178.50.218.234, 92.40.112.34, 86.150.68.134, and 78.132.114.25 — all carry identical threat tags of backdoor, censys, elf, and sshdkit, indicating they are likely compromised Linux servers weaponized with SSHDKit, a tool used to implant persistent backdoors into SSH daemons. Their presence in Censys scan data suggests they have been identified through internet-wide scanning, consistent with automated mass exploitation. Separately, teamrising.ae has been flagged for hosting an XWorm remote access trojan payload delivered via ASCII-encoded content, while allcheat.netlify.app — abusing Netlify's free hosting platform — distributes ScarfaceStealer, an information-stealing executable targeting credentials and personal data from victim machines.
The cross-entity relationship data reveals three distinct same-campaign groupings operating with 0.90 confidence scores. In the first, the domain emacra.com is linked to both 5.252.21.239 and securrty.cfd, with all three additionally connected to 80.89.238.200 as shared infrastructure. The deliberate misspelling in securrty.cfd is a classic typosquatting or brand-impersonation technique intended to deceive users into trusting a fraudulent security-themed domain. In the second grouping, the domain id3702579photo-image-docs.com — a name constructed to mimic a document or photo-sharing service — is linked to both qsve.cyrd.live and blue-oceans.net under the same campaign designation. The third grouping connects IP addresses 87.121.84.56, 45.205.1.19, and 45.13.239.70 with 91.92.240.222 and 178.16.52.18, forming a tightly networked cluster of hosts likely serving as rotating delivery or proxy nodes. A fourth sub-cluster connects mvirdi.com, 217.156.65.56, and 195.177.94.99 to the domain stau4.com, all attributed to the same campaign at high confidence.
Consumers who encounter any domains, links, or communications referencing these entities should take immediate protective action. Do not click any links associated with domains identified in this report, do not download files from any URL containing the above domain names or IP addresses, and do not provide personal, financial, or login credentials in response to unsolicited contact. If you receive an email, message, or browser redirect involving any of these domains — particularly those mimicking security services such as securrty.cfd or document platforms such as id3702579photo-image-docs.com — close the window or hang up immediately without engaging further. To verify whether a domain or IP address is associated with known threats, consumers can consult free public lookup tools such as VirusTotal (virustotal.com) or URLVoid before clicking unfamiliar links. Suspected fraud or malicious contact should be reported to the Federal Trade Commission at reportfraud.ftc.gov and to the FCC at fcc.gov/consumers/guides/filing-informal-complaint. If you believe your device has been compromised, disconnect it from the internet and contact a qualified cybersecurity professional.
Overall, this cluster represents a high-severity, multi-vector threat operation with active infrastructure across botnet delivery, credential theft, remote access compromise, and cryptocurrency mining. The abuse of legitimate free-tier platforms including Cloudflare Tunnels and Netlify significantly lowers the operational cost for threat actors while complicating detection and blocking efforts. Recommended next steps include submission of all identified domains and IPs to relevant abuse teams at Cloudflare, Netlify, and hosting providers, escalation of the Amadey and SSHDKit sub-clusters to CISA and relevant national CERTs given the scale of Linux server compromise, and continued monitoring of the emacra.com, stau4.com, and blue-oceans.net domains for infrastructure reuse as this campaign evolves.