A wave of cyber offensives has zeroed in on internet service providers (ISPs) across China and the U.S. West Coast, unleashing information-stealing malware and cryptojacking software onto compromised systems. This large-scale brute-force campaign, dissected by the Splunk Threat Research Team, not only enables data theft but also lays the groundwork for long-term persistence within infiltrated networks.
Stealth-Driven Intrusions and Covert Lateral Movements
According to Splunk’s findings, the unidentified adversaries behind this assault have adopted low-profile tactics to evade detection. Their methodology involves script-based tools, predominantly written in Python and PowerShell, which are adept at operating in restricted execution environments. Additionally, their command-and-control (C2) framework integrates Telegram-based API calls, a tactic used to maintain clandestine communication channels.
Brute-Force Tactics and Geographic Attribution
The cyber onslaught is characterized by brute-force credential stuffing, originating primarily from Eastern European IP addresses. The attackers have methodically targeted over 4,000 ISP-related IP addresses, scanning for weakly secured entry points.
Once access is secured, PowerShell-driven payloads deploy a range of executables engineered for:
- Network reconnaissance
- Credential and data theft
- XMRig-based cryptojacking, hijacking victims’ processing power to mine cryptocurrency
Pre-Execution Obfuscation & Payload Deployment
Before the primary malware payloads are executed, attackers neutralize security defenses by disabling anti-malware features and terminating processes linked to cryptominer detection.
The deployed stealer malware extends beyond data exfiltration, incorporating clipboard hijacking functionality akin to a clipper malware. This feature scans for and replaces cryptocurrency wallet addresses in clipboard memory, targeting digital assets such as:
- Bitcoin (BTC)
- Ethereum (ETH)
- Binance Chain BEP2 (ETHBEP2)
- Litecoin (LTC)
- TRON (TRX)
Stolen data is exfiltrated to a Telegram bot, further obfuscating the attack’s infrastructure.
Tools of the Trade: Masscan & Automated Brute-Force Modules
Beyond malware deployment, the attackers introduced additional executables designed to expand their reach and compromise more systems, including:
- Auto.exe – Retrieves password and IP lists (
pass.txt&ip.txt) from the attacker’s C2 infrastructure for further brute-force attempts. - Masscan.exe – A high-speed, large-scale network scanning tool used to enumerate open ports and pinpoint susceptible hosts.
According to Splunk, the campaign deliberately focused on ISP infrastructure CIDRs, particularly those positioned on the U.S. West Coast and within China. The Masscan utility empowered attackers to rapidly scan vast IP ranges, identifying weak points that were subsequently subjected to credential brute-forcing.
Implications & Countermeasures
Given the targeted nature of this campaign, ISPs and enterprises alike must harden their authentication mechanisms, enforce multi-factor authentication (MFA), and monitor network activity for anomalous PowerShell execution and excessive brute-force attempts. With attackers exploiting low-hanging credentials, organizations must swiftly fortify access controls to blunt the impact of such large-scale incursions.
