Infrastructure Analysis: Leveraging Bulletproof Hosting for Global JavaScript Malware Campaigns

Cybersecurity researchers have identified a sophisticated, large-scale malware infrastructure leveraging two prominent “bulletproof” hosting providers—GHOSTYNETWORKS and OMEGATECH.

This infrastructure is currently facilitating global JavaScript (JS) malware distribution, primarily driving massive malspam waves and targeted Business Email Compromise (BEC) operations.

In March 2026, a series of coordinated malspam campaigns began targeting high-value sectors, including energy conglomerates and government finance ministries. The delivery mechanism utilized compressed archives (ZIP/RAR) containing heavily obfuscated JavaScript backdoors. Unlike traditional malware that relies on executable files, these JS payloads exploit the system’s native scripting engines, allowing them to bypass many standard endpoint security controls that focus on binary execution.

Evidence suggests the threat actors are primarily financially motivated. Their objective is not long-term espionage, but rather the compromise of Email Accounts (EAC) to facilitate BEC theft. By impersonating industrial manufacturers and legitimate suppliers, attackers lure victims into opening attachments disguised as “purchase orders” or “quotients.”

Analysis of the delivery domains, such as mail.talruit.com and mpwirerope.com, shows they resolve to IP addresses 83.142.209[.]64 and 91.92.243[.]79, both hosted on highly abusive Autonomous System Numbers (ASNs). Targets have spanned a wide geographic range, including Ukraine, Russia, Poland, and Germany, with notable attempts against the Ministry of Finance of Transnistria.

According to a technical report by Intrinsec, these networks provide resilient Command-and-Control (C2) capabilities. Once a host is compromised, the script performs system reconnaissance and establishes outbound communication via HTTP POST requests. To evade detection, the malware utilizes non-standard ports—including 2002, 2004, 7273, 3232, 6565, 34567, and 2244—and employs an outdated Internet Explorer-style User-Agent string to blend in with legacy web traffic.

Phishing email campaign samples
Phishing email samples from the March 2026 campaign (Source: Intrinsec).

The malware maintains persistence and tracking by embedding unique identifiers into the C2 URL path, such as: scan.aryamint.com:2244/gATIjh?ia9BFQT8YZBK2MNDLSdf0. In more aggressive variants, the script bypasses the DNS layer entirely by connecting directly to C2 IPs, such as 158.94.211[.]76, to ensure resilience against domain-based blocking.

The Role of GHOSTYNETWORKS and OMEGATECH

GHOSTYNETWORKS (AS205759)

GHOSTYNETWORKS appears to be a rebranding of the notorious AnonRDP. BGP data and corporate intelligence link this network to the defunct ASN OPTIBOUNCE and organizer Daniel Mishayev. As a classic bulletproof provider, it is frequently flagged by Spamhaus for hosting abusive prefixes. Intrinsec honeypots recorded over 30,000 attacks from this ASN in March 2026 alone, ranging from brute-force attempts to opportunistic service scanning.

The network’s utility extends beyond malspam; it has been utilized by the TeamPCP group to host PUREHVNC RAT infrastructure and C2 nodes for a weaponized PyPI package designed to exfiltrate cloud credentials.

Honeypot attack distribution chart
Distribution of attacks targeting honeypots by destination port originating from AS205759 (Source: Intrinsec).

OMEGATECH (AS202412)

OMEGATECH serves as a massive industrial-scale engine for offensive operations. Identified as a front for the Russian-linked provider Virtualine, OMEGATECH is registered in the Seychelles and utilizes upstreams that have historically demonstrated a high tolerance for abusive customers. A single OMEGATECH subnet was recently observed hosting 67 different C2 servers across 16 distinct malware families.

In March 2026, OMEGATECH-linked IPs logged over 642,000 hits on Intrinsec honeypots, signifying a massive scale of reconnaissance and exploitation activity, including targeted campaigns against SonicWall firewalls.

The longevity of this threat actor is evident in their infrastructure migration patterns. The actor has been active since mid-2025, continuously shifting domains and IP addresses across different bulletproof networks (such as the previously blocked TELCHACK-AS) to stay ahead of takedown efforts.

Indicators of Compromise (IOCs)

Value Type Description
205759 ASN GHOSTYNETWORKS
202412 ASN OMEGATECH-AS
83.142.209[.]64 IPv4 Spam emission
91.92.243[.]79 IPv4 Spam and JS backdoor C2
158.94.211[.]76 IPv4 JS backdoor C2
mail.talruit[.]com Domain Spam delivery
talruit[.]com Domain Spam delivery
scan.aryamint[.]com Domain JS backdoor C2
aryamint[.]com Domain JS backdoor C2
mpwirerope[.]com Domain Spam delivery
ethara[.]org Domain Linked to TA infrastructure
794fab796e48f97e976d99157913ab5beee5ae8ef2731bf2af2222ae5b6a1c65 SHA-256 JS backdoor – “QUOTE_B0426.js”
ac842e4adb445a76aad135828d56116858a1b7d37b4a103f493e175816df9bb2 SHA-256 JS backdoor – “PO 03603.zip”
33713a3650a3c1d64045c3832835dcacef92ad4f09c030fbe674454266880fea SHA-256 JS backdoor – “PO 26683.js”
7277f4dfb26a53f8ee47cac051a82f6709e07b6603f26ff3987cc64a137e07dc SHA-256 JS backdoor – “PO8767.rar”
232a179daf4db527c062b609ebb5f19310eea8f5c80afce6f763f5841110aed8 SHA-256 JS backdoor – “PO8767.js”

Security Advisory: All IP addresses and domains have been defanged for safety. Threat intelligence professionals should re-fang these indicators only within secure environments.

Related Articles

Back to top button