Cybersecurity Threat Campaign Report: Multi-Vector Malware Distribution and Botnet Infrastructure Cluster
This report documents a large-scale malicious infrastructure cluster comprising 673 connected entities, including flagged IP addresses, malicious domains, and cloud-hosted attack vectors. The campaign involves multiple distinct but overlapping threat families, including the Amadey malware loader, Mirai botnet variants, SSH backdoor toolkits, a credential stealer identified as ScarfaceStealer, and XWorm remote access trojan activity. The breadth and variety of threat types observed across this cluster indicate a coordinated, multi-stage operation in which different components serve distinct functions: initial infection, payload delivery, command-and-control communication, and data exfiltration.
A significant subset of this infrastructure relies on Cloudflare's free tunneling service, specifically trycloudflare.com subdomains, to host open directories and deliver payloads via automated download tools. The domains implementing-theft-metal-justin.trycloudflare.com, staying-heavily-meaning-blowing.trycloudflare.com, and creations-venture-traditional-stainless.trycloudflare.com are all flagged for malware and share the tags opendir, ua-wget, and WsgiDAV, indicating they are serving files through a Python-based web server framework and downloading content using the wget utility, a common technique for deploying second-stage payloads on compromised Linux systems. The IP address 130.12.180.43 is flagged as a command-and-control node associated with the Amadey loader, and 104.194.152.180 is tagged as having dropped a CoinMiner payload also attributed to Amadey, suggesting this loader is being used to distribute multiple downstream threats within the same campaign.
The Mirai botnet component of this cluster is represented by IP addresses 103.125.219.204 and 206.123.145.26, as well as the domain arilprivate.storexyz.web.id, all of which carry the mirai and opendir tags. Mirai-based botnets are known to target Internet of Things devices and Linux-based servers to conduct distributed denial-of-service attacks and expand their infection footprint. Additionally, nine IP addresses including 14.236.182.73, 83.224.162.132, 123.31.81.229, 120.157.56.105, 113.176.132.141, 178.50.218.234, 92.40.112.34, 86.150.68.134, and 78.132.114.25 are all flagged with the tags backdoor, censys, elf, and sshdkit, indicating they are associated with a toolkit designed to implant SSH backdoors in Linux environments and have been indexed by the Censys internet scanning platform, suggesting active exposure and reconnaissance activity against these hosts.
The cross-entity relationship data reveals 18 high-confidence same-campaign linkages among additional IP addresses and domains, each assessed at 0.90 confidence. Notably, the domain stau4.com is linked to four separate entities: the IP addresses 217.156.65.56, 195.177.94.99, and 195.177.94.228, as well as the domain mvirdi.com, suggesting stau4.com functions as a central coordinating or staging domain within one campaign thread. Separately, the domain id3702579photo-image-docs.com is connected to both qsve.cyrd.live and blue-oceans.net under the same campaign designation, a pattern consistent with phishing or credential-harvesting infrastructure using deceptive document-themed domain names. The IP 87.121.84.56 and 45.205.1.19 each share same-campaign relationships with three common destinations: 45.13.239.70, 91.92.240.222, and 178.16.52.18, indicating shared routing or payload distribution infrastructure. Additional actors include the domain teamrising.ae, flagged for XWorm activity with encoded payloads, and allcheat.netlify.app, which is delivering an executable file associated with ScarfaceStealer, a credential-harvesting malware often distributed through fake game cheat or software crack sites.
Consumers and end users who may have encountered any of these domains or received communications directing them toward these addresses should take immediate protective action. Do not click any links associated with the domains listed in this report, including those appearing on trycloudflare.com subdomains or netlify.app-hosted pages. If contacted through email, messaging platforms, or social media with links to any of these resources, do not engage and do not download any files. Users who believe they have visited or downloaded content from these domains should run a full antivirus scan using a reputable security product and change passwords for any accounts accessed on the affected device, prioritizing email, banking, and social media credentials. To verify whether a domain or IP address has been flagged by the security community, consumers can use free tools such as VirusTotal at virustotal.com or URLVoid at urlvoid.com. Suspected scam contacts and malicious domains should be reported to the Federal Trade Commission at reportfraud.ftc.gov and to the Federal Communications Commission at fcc.gov/consumers/guides/filing-informal-complaint.
This cluster represents a high-severity, multi-family threat campaign with active command-and-control infrastructure, live payload delivery nodes, and confirmed deployment of data-stealing and remote-access malware. Recommended next steps include network-level blocking of all IP addresses and domains identified in this report, threat hunting within enterprise environments for indicators associated with Amadey, Mirai, sshdkit, XWorm, and ScarfaceStealer, and monitoring for outbound connections to trycloudflare.com subdomains used as staging infrastructure. Security teams should treat the stau4.com cluster and the id3702579photo-image-docs.com phishing domain set as priority investigation targets given their high-confidence cross-entity linkages and central roles in the observed campaign graph.