Lmst

Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

An analysis of Chinese hosting environments reveals over 18,000 active command-and-control (C2) servers distributed across 48 infrastructure providers. C2 infrastructure dominates malicious activity at 84%, followed by phishing at 13%. China Unicom hosts nearly half of all observed C2 servers, with Alibaba Cloud and Tencent following. A small set of malware families, including Mozi, ARL, and Cobalt Strike, accounts for most C2 activity. The infrastructure supports both cybercrime and state-linked operations, with RATs, cryptominers, and APT tooling coexisting. High-trust networks like China169 Backbone and CERNET are actively exploited. This host-centric approach exposes long-running abuse patterns and infrastructure reuse across campaigns, enabling more resilient threat detection and mitigation strategies.

Pulse ID: 6968d7975512c0a199a5bc1f
Pulse Link: https://otx.alienvault.com/pulse/6968d7975512c0a199a5bc1f
Pulse Author: AlienVault
Created: 2026-01-15 12:03:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #Cloud #CobaltStrike #CryptoMiner #CyberCrime #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #bot #AlienVault

I had a chance last week to chat with Benjamin Read of #Wiz. Last month, Read and other members of his team published a deep dive into the #React2Shell
(CVE-2025-55182) vulnerability, and I was curious to see what has been hitting my honeypot, so I took a closer look.

This is doing some weird stuff, friends.

As is normally the case with exploits targeting internet-facing devices, once the exploit becomes known, it ends up in the automated scanners used by threat actors and security researchers. What I've seen over the past week is a combination of both.

In just a few hours of operation, I identified a small number of source IP addresses exploiting React2Shell by pointing the vulnerable system at URLs hosting BASH scripts. These scripts are really familiar to anyone who routinely looks at honeypot data - they contain a series of commands that pull down and execute malicious payloads.

And as I've seen in the past, some of these payloads use racially inflammatory language in their malware. It's weird and gross, but unfortunately, really common.

But while most of these payloads were "the usual suspects" - remote shells, cryptocurrency miners - there was one payload that stuck out.

It's an exploit file, based on this proof-of-concept [https://github.com/iotwar/FIVEM-POC/blob/main/fivem-poc.py] designed to DDoS a modded server running "FiveM," a popular version of the game Grand Theft Auto V.

Let that one sink in: among the earliest adopters of a brand new exploit are...people trying to mess with other people's online game servers.

I've long said that exploits like these are the canaries in the datacenter coal mine. After all, if an attacker can force your server to run a cryptominer (or a game DDoS tool), they can force it to run far more malicious code.

I guess someone, or a group of someones, just want to ruin everyone's good time, no matter how or what form that takes. And they'll do it in the most offensive way possible.

Anyway, patch your servers, please, if only to stick it to these people who want to be the reason we can't have nice things.

#PoC #exploit #CVE_2025_55182 #DDoS #FiveM #REACT #Bash #cryptominer #malware

User-Agents employed both by researchers and threat actors attempting to exploit React2Shell on a honeypot

Some of the malware contains Bash script commands and filenames with racially offensive slurs. These are not nice people.

What a sample React2Shell exploit command looks like - a lot like Mirai and other automated worms

In just a few hours, these four IP addresses tried to infect my honeypot dozens of times.

VPS của tôi liên tục bị nhiễm cryptominer ngay sau khi cài lại Ubuntu 24.04. Bots tấn công mật khẩu root trong khoảng thời gian từ lúc khởi động đến khi chạy script bảo mật bằng Ansible. Triệu chứng: CPU 100%, tiến trình gây nghi ngờ (XMRig), nhật ký hệ thống bị xóa. Câu hỏi: Mật khẩu 50 ký tự có đủ mạnh? Làm thế nào để khóa máy chủ trong giai đoạn cài đặt? #securitytips #cryptomining #Ubuntu #VPS

Tags: #VPSan ninh #cryptominer #Ubuntu2404 #Ansible #BruteForce #Kinhnghiệmthựctế #Hethongdichvu

Crypto Miner in hotio/qbittorrent

https://apogliaghi.com/2025/09/crypto-miner-in-hotio/qbittorrent/

#HackerNews #CryptoMiner #hotio #qbittorrent #cryptocurrency #technology

A Linux cryptominer has been quietly spreading malware for years by hijacking legit websites with SSL certs.

🔗 https://hackread.com/linux-cryptominer-using-legit-sites-to-spread-malware/

#CyberSecurity #Linux #Cryptominer #Malware #Crypto

Finally completed my rebuild of my #Grafana #prometheus #vps stack.

The old one was hosed in a 3 month battle with a #cryptominer
It was #docker but they kept fucking the Prometheus container.

I rebuild everything from scratch. The panels are integrated into a single JSON file, rather than in libraries.

The stack is now #podman. Rootless execution.
But I couldn't get it to get #cadvisor to feed it.
So I got a dodgy scraper script.
But even with nice, it loads the low tier VPS to 14%

#selfhosting

Every #appliance that's job is to get hot should be a #cryptoMiner or a #heatPump

#electronics #technology #bitcoin #cryptocurrency #crypto #appliances #home

Cybercriminals are blackmailing YouTubers with fake copyright claims! 😱 They're threatening creators into distributing malware disguised as download links. A trojanized program installs a cryptominer. ⚠️ Be careful what you download! More info: https://www.techradar.com/pro/security/youtubers-targeted-by-blackmail-campaign-to-promote-malware-on-their-channels #cybersecurity #malware #youtube #cryptominer #newz

CVE-2021-41773 oraz CVE-2021-42013 kończące się kopaniem krypto przez RedTail ( https://nfsec.pl/ai/6597 ) #cryptominer #botnet #redtail #linux #security #twittermigration

https://www.youtube.com/watch?v=XEDgaXtpFRM

Fake Job Offers from CrowdStrike Used by Cybercriminals to Distribute Cryptominer - https://www.redpacketsecurity.com/cybercriminals-use-fake-crowdstrike-job-offers-to-distribute-cryptominer/

#threatintel #cryptominer #CrowdStrike #phishing

Phishers abuse #CrowdStrike brand targeting job seekers with #cryptominer
https://securityaffairs.com/172900/cyber-crime/crowdstrike-phishing-campaign-recruitment-branding.html
#securityaffairs #hacking #malware

Kwaadaardige npm-pakketten met cryptominers ontdekt https://www.trendingtech.news/trending-news/2024/12/50408/kwaadaardige-npm-pakketten-met-cryptominers-ontdekt #npm #cryptominer #supply chain #XMRig #cybersecurity #Trending #News #Nieuws

r2ai can be used over source code. Here, with Claude AI, it analyzes a sample of Linux/Rudedevil. I'm asking it to explain what it's doing with signals, and I really like its insights like "The malware likely handles this to prevent crashes when network connections fail" or "likely prevent normal process termination". Really useful to a malware analyst.

#malware #r2ai #rudedevil #cryptominer cc: @radareorg

This is the presumed decompiled source code for Linux/Rudedevil. Decompiled using decai and Claude AI.

This is the explanation from Claude AI, questioned via r2ai on our file.

While crypto is dumb, this take on crypto is also dumb.

Arkansas officials halt cryptomine near LR Airbase due to national security concerns
https://katv.com/news/local/arkansas-officials-halt-cryptomine-near-lr-airbase-due-to-national-security-concerns-state-senator-ricky-hill-lonoke-county-judge-doug-erwin-cabot-mayor-ken-kincade-interstate-holdings-arkansas-blockchain-council-benjamin-smith-steven-landers-jr-lrafb
#crypto #cryptocurrency #cryptocult #cryptominer #cryptominers #arkansas #littlerock #ArkansasPolitics

#Linux :tux: -#Malware "#Perfctl" befällt offenbar schon seit Jahren Linux-Server | heise online https://www.heise.de/news/Perfectl-Linux-Malware-laesst-Server-heimlich-Kryptomining-und-mehr-ausfuehren-9963118.html #CryptoMiner #cryptocurrencies #cryptocurrency #Proxy #Loader

@dirksche Klingt nach nen #CryptoMiner oder so...

Mal ps -aux bzw. btop aufgemacht?

Ggf. mal in top bzw. htop nachgucken und ggf. /home/ backuppen und das System neu installieren, weil das geht schneller?

New(ish) #cryptominer alert!

The #RedTail cryptominer has a new variant that exploits the recent critical PAN-OS vuln CVE-2024-3400. You may be aware of RedTail from its Log4Shell days, now it's going after at least 6 known vulnerabilities including the PAN-OS, recent Ivanti Connect Secure vulns, and ThinkPHP.

The write-up goes into a lot more technical detail and provides IoCs and mitigations. Here are the highlights:

🔐 Attackers behind this are using private cryptomining pools. It costs a loooootttt of money and time to do this. It also helps obfuscation. This can tell us some things about who is behind this.

👨‍💻 The tactics observed here mirror tactics previously seen by the Lazarus group. This nation-state theory is supported by the private pools point, but we cannot say that for certain.

🌐 The malware delivery infrastructure relies on multiple unrelated servers hosted by various ✨ legitimate ✨ hosting companies. It is robust and hard to classify as malicious without deeper examination.

Full write up includes IoCs and mitigations:
https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit

Incredible work Ryan Barnett Stiv Kupchik and Maxim Zavodchik. I have the coolest job in the world thanks to these folks and their awesome research.

#security #research #crypto