A sweeping cyber campaign targeting internet service provider (ISP) infrastructure has been identified, with over 4,000 IP addresses affected across China and the West Coast of the United States. The attack, originating from Eastern Europe, is a large-scale exploitation effort that leverages brute force techniques to compromise ISP networks. Once inside, the attackers deploy credential abuse, data exfiltration, cryptomining payloads, and persistence mechanisms to evade detection.
The campaign was first identified by the Splunk Threat Research Team, which detailed how the attackers use weak or compromised credentials to gain access. According to the team’s findings, the cybercriminals rely on scripting languages such as Python and PowerShell to move laterally and execute command-and-control (C2) operations via Telegram API calls.
“These IPs were targeted by using a masscan tool which allows operators to scan large numbers of IP addresses which can subsequently be probed for open ports and credential brute-force attacks,”
Attack Methodology and Tools Used
The attackers deploy multiple binaries and scripts, hiding them in a folder named “Migration” on compromised hosts. Among the key files used are mig.rdp.exe, migrate.exe, and x64.exe. These executables facilitate cryptomining operations while also acting as information stealers, targeting cryptocurrency wallet addresses and clipboard data.
Windows Remote Management (WINRM) plays a crucial role in the attack. The adversaries exploit this remote execution tool to install payloads, using encoded PowerShell scripts to disable security features and delete forensic artifacts. Analysis of the malware’s execution chain reveals systematic steps to establish persistence, evade detection, and remove traces of malicious activity.
Upon initial access, attackers install binaries that include masscan.exe for network scanning, auto.exe for credential brute forcing, and MicrosoftPrt.exe, a clipbanker malware that steals cryptocurrency wallet data. Another executable, IntelConfigService.exe, checks for the presence of security tools and kills detection processes. The malware also employs SSH connections to maintain persistence and communicate with the C2 infrastructure.
Cryptomining and Data Theft
Once inside an ISP network, the attackers deploy multiple cryptomining payloads, including the XMRig miner, to hijack processing power for illicit cryptocurrency mining. The malware modifies Windows Defender settings to exclude key directories from security scans and grants restricted access to system folders, ensuring uninterrupted operations.
Information-stealing malware is also deployed. MicrosoftPrt.exe scans clipboard data for cryptocurrency wallet addresses, replacing them with addresses controlled by the attackers. It also captures screenshots, sending them to the C2 server via Telegram bot commands. The malware uses obfuscation techniques, including self-extracting RAR archives, to bundle and deploy payloads while minimizing detection.
Evasion and Persistence Tactics
The attackers implement various tactics to remain undetected. Files are executed from non-standard directories, such as Windows fonts, temp, and servicing folders. The malware disables security updates and modifies registry settings to block remote access, making remediation difficult. The payloads also leverage Windows utilities like ICACLS and takeown to modify file permissions, restricting user access and preventing removal.
Cleanup scripts systematically remove forensic traces after privilege escalation is achieved. The malware terminates processes linked to security tools, deletes logs, and wipes execution artifacts. These techniques ensure prolonged access to compromised systems while limiting the ability of administrators to detect and remediate infections.
