Internet service providers in China and the western coast of the United States have fallen victim to a large-scale exploitation campaign in which attackers infiltrated compromised systems to deploy data-stealing malware and cryptocurrency mining software.
Researchers at Splunk reported that the attack also involved the deployment of various binary files designed to exfiltrate sensitive data and establish persistent access within infected systems. According to experts, the threat actors operated with stealth, leaving behind only a few forensic artifacts within already compromised accounts.
The attackers leveraged scripting languages such as Python and PowerShell, enabling them to function within restricted environments and execute API requests—utilizing Telegram, for instance—to control infected machines remotely. Initial access was obtained through brute-force attacks on weak credentials. Analysis of attack sources suggests they originated from Eastern Europe, with more than 4,000 IP addresses of internet providers targeted.
Once inside the network, the threat actors downloaded executable files via PowerShell, conducting network reconnaissance, data theft, and deploying XMRig, a cryptocurrency mining tool that exploits victims’ computing resources. Before executing the primary payload, the cybercriminals disabled security features and terminated processes related to cryptominer detection.
Beyond data exfiltration and screenshot theft, the malware functioned similarly to a clipboard hijacker, monitoring copied content for cryptocurrency wallet addresses. The targeted digital assets included Bitcoin (BTC), Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX).
Stolen data was transmitted to a Telegram bot, while an additional binary file was deployed on compromised machines, activating further malicious payloads. Among these were “Auto.exe”, responsible for downloading password lists (“pass.txt”) and IP addresses (“ip.txt”) to facilitate subsequent brute-force attacks, as well as “Masscan.exe”, a powerful tool used for large-scale network scanning.
The attackers focused their efforts on specific CIDR IP address ranges belonging to internet service providers in China and the western United States. The Masscan tool enabled them to scan vast numbers of IP addresses, identify open ports, and initiate brute-force attacks against user accounts.
