Infrastructure Analysis: Leveraging Bulletproof Hosting for Global JavaScript Malware Campaigns
Cybersecurity researchers have identified a sophisticated, large-scale malware infrastructure leveraging two prominent “bulletproof” hosting providers—GHOSTYNETWORKS and OMEGATECH.
This infrastructure is currently facilitating global JavaScript (JS) malware distribution, primarily driving massive malspam waves and targeted Business Email Compromise (BEC) operations.
In March 2026, a series of coordinated malspam campaigns began targeting high-value sectors, including energy conglomerates and government finance ministries. The delivery mechanism utilized compressed archives (ZIP/RAR) containing heavily obfuscated JavaScript backdoors. Unlike traditional malware that relies on executable files, these JS payloads exploit the system’s native scripting engines, allowing them to bypass many standard endpoint security controls that focus on binary execution.
Evidence suggests the threat actors are primarily financially motivated. Their objective is not long-term espionage, but rather the compromise of Email Accounts (EAC) to facilitate BEC theft. By impersonating industrial manufacturers and legitimate suppliers, attackers lure victims into opening attachments disguised as “purchase orders” or “quotients.”
Analysis of the delivery domains, such as mail.talruit.com and mpwirerope.com, shows they resolve to IP addresses 83.142.209[.]64 and 91.92.243[.]79, both hosted on highly abusive Autonomous System Numbers (ASNs). Targets have spanned a wide geographic range, including Ukraine, Russia, Poland, and Germany, with notable attempts against the Ministry of Finance of Transnistria.
According to a technical report by Intrinsec, these networks provide resilient Command-and-Control (C2) capabilities. Once a host is compromised, the script performs system reconnaissance and establishes outbound communication via HTTP POST requests. To evade detection, the malware utilizes non-standard ports—including 2002, 2004, 7273, 3232, 6565, 34567, and 2244—and employs an outdated Internet Explorer-style User-Agent string to blend in with legacy web traffic.

The malware maintains persistence and tracking by embedding unique identifiers into the C2 URL path, such as: scan.aryamint.com:2244/gATIjh?ia9BFQT8YZBK2MNDLSdf0. In more aggressive variants, the script bypasses the DNS layer entirely by connecting directly to C2 IPs, such as 158.94.211[.]76, to ensure resilience against domain-based blocking.
The Role of GHOSTYNETWORKS and OMEGATECH
GHOSTYNETWORKS (AS205759)
GHOSTYNETWORKS appears to be a rebranding of the notorious AnonRDP. BGP data and corporate intelligence link this network to the defunct ASN OPTIBOUNCE and organizer Daniel Mishayev. As a classic bulletproof provider, it is frequently flagged by Spamhaus for hosting abusive prefixes. Intrinsec honeypots recorded over 30,000 attacks from this ASN in March 2026 alone, ranging from brute-force attempts to opportunistic service scanning.
The network’s utility extends beyond malspam; it has been utilized by the TeamPCP group to host PUREHVNC RAT infrastructure and C2 nodes for a weaponized PyPI package designed to exfiltrate cloud credentials.

OMEGATECH (AS202412)
OMEGATECH serves as a massive industrial-scale engine for offensive operations. Identified as a front for the Russian-linked provider Virtualine, OMEGATECH is registered in the Seychelles and utilizes upstreams that have historically demonstrated a high tolerance for abusive customers. A single OMEGATECH subnet was recently observed hosting 67 different C2 servers across 16 distinct malware families.
In March 2026, OMEGATECH-linked IPs logged over 642,000 hits on Intrinsec honeypots, signifying a massive scale of reconnaissance and exploitation activity, including targeted campaigns against SonicWall firewalls.
The longevity of this threat actor is evident in their infrastructure migration patterns. The actor has been active since mid-2025, continuously shifting domains and IP addresses across different bulletproof networks (such as the previously blocked TELCHACK-AS) to stay ahead of takedown efforts.
Indicators of Compromise (IOCs)
| Value | Type | Description |
|---|---|---|
| 205759 | ASN | GHOSTYNETWORKS |
| 202412 | ASN | OMEGATECH-AS |
| 83.142.209[.]64 | IPv4 | Spam emission |
| 91.92.243[.]79 | IPv4 | Spam and JS backdoor C2 |
| 158.94.211[.]76 | IPv4 | JS backdoor C2 |
| mail.talruit[.]com | Domain | Spam delivery |
| talruit[.]com | Domain | Spam delivery |
| scan.aryamint[.]com | Domain | JS backdoor C2 |
| aryamint[.]com | Domain | JS backdoor C2 |
| mpwirerope[.]com | Domain | Spam delivery |
| ethara[.]org | Domain | Linked to TA infrastructure |
| 794fab796e48f97e976d99157913ab5beee5ae8ef2731bf2af2222ae5b6a1c65 | SHA-256 | JS backdoor – “QUOTE_B0426.js” |
| ac842e4adb445a76aad135828d56116858a1b7d37b4a103f493e175816df9bb2 | SHA-256 | JS backdoor – “PO 03603.zip” |
| 33713a3650a3c1d64045c3832835dcacef92ad4f09c030fbe674454266880fea | SHA-256 | JS backdoor – “PO 26683.js” |
| 7277f4dfb26a53f8ee47cac051a82f6709e07b6603f26ff3987cc64a137e07dc | SHA-256 | JS backdoor – “PO8767.rar” |
| 232a179daf4db527c062b609ebb5f19310eea8f5c80afce6f763f5841110aed8 | SHA-256 | JS backdoor – “PO8767.js” |
Security Advisory: All IP addresses and domains have been defanged for safety. Threat intelligence professionals should re-fang these indicators only within secure environments.