Scam Campaign Report: Coordinated Malware Domain Network
A coordinated malware campaign has been identified involving 13 connected entities, including 12 domains and one IP address, all flagged for malware activity. The domains in this cluster include ostekstatmen.net, infoworkerone.org, mstopsai.com, monstersstat.com, masterklass.net, globalsstat.com, merkureenv.net, globalsstat.org, jobworkny.com, maxstatesus.org, infoworkerone.com, and sorrystartstat1.net, along with the IP address 66.63.170.18. All entities carry active malware flags, and the campaign appears to be operating under a unified infrastructure based on the pattern of domain naming conventions and confirmed cross-entity relationships.
Relationship analysis reveals 15 confirmed same-campaign linkages across the cluster, each carrying a high confidence score of 0.90. The domain masterklass.net shares confirmed campaign ties with merkureenv.net, globalsstat.org, jobworkny.com, maxstatesus.org, and sorrystartstat1.net. Similarly, infoworkerone.com and ostekstatmen.net each share the same five confirmed same-campaign relationships with that same group of domains. This triangulated structure strongly suggests that masterklass.net, infoworkerone.com, and ostekstatmen.net function as hub or coordination nodes within the campaign, with the remaining domains serving as supporting or distribution infrastructure.
The naming conventions across these domains suggest the campaign may be targeting job seekers and workers, particularly those in the United States. Domains such as jobworkny.com, infoworkerone.com, infoworkerone.org, maxstatesus.org, and globalsstat.com and globalsstat.org use language associated with employment information, worker resources, and statistical or informational services. The inclusion of jobworkny.com specifically references New York, suggesting possible geographic targeting of job seekers in the New York metropolitan area, though the broader cluster of .com, .org, and .net variants indicates a campaign designed to cast a wide net across multiple audiences and search contexts.
The malware tags associated with all 13 entities indicate that individuals who click links to or visit these domains may be exposed to malicious software capable of credential theft, device compromise, or further exploitation. While no specific complaint counts were provided in the underlying data, the scale and coordination of this cluster, involving duplicate domain registrations across multiple top-level domains such as globalsstat.com and globalsstat.org, and infoworkerone.com and infoworkerone.org, reflects a deliberate strategy to maximize reach and evade takedown efforts. This tactic is commonly associated with campaigns that generate significant consumer harm before infrastructure is disrupted.
Consumers who encounter any of the domains listed in this report should take immediate protective action. Do not click links to or interact with any of the identified domains. If you receive an unsolicited email, text message, or job offer that directs you to any of these sites, do not provide personal information, financial details, or login credentials. Hang up on any phone-based contact associated with these entities. To verify whether a domain or URL is safe before visiting, use free tools such as Google Safe Browsing at safebrowsing.google.com or VirusTotal at virustotal.com. If you have been contacted by or have visited any of these domains, report the incident to the Federal Trade Commission at reportfraud.ftc.gov and to the Federal Communications Commission at fcc.gov/consumers/guides/filing-informal-complaint. If malware exposure is suspected, run a full security scan on your device immediately and change any passwords entered during the interaction.
This campaign represents a high threat level given the number of coordinated malware-flagged domains, the high-confidence relationship mapping across the cluster, and the apparent targeting of job seekers who may be in vulnerable financial situations. Recommended next steps include immediate reporting of all 12 domains and the IP address 66.63.170.18 to domain registrars and hosting providers for suspension, referral of the full cluster to the Cybersecurity and Infrastructure Security Agency at cisa.gov/report, and ongoing monitoring for newly registered domains using similar naming patterns that may indicate campaign expansion.