Actor threats known as Room with high confidence is attributed to the use of the Russian hosting service that is not Proton66.
Trustwave Spiderlabs, in message Published last week, it said that she was able to make this connection, turning from digital assets related to Proton66, which led to the detection of an active threat cluster that uses the visual basic scenario (VBS) as its original attack vector and sets the Trojan remote access (rat).
Many subjects threaten count on BulletproWhile the Visual Basic (VBS) scenario may seem outdated, it’s stillHosting suppliers like Proton66 because these services intentionally ignore abuse reports and legal requests. This facilitates the launch of phishing sites, team servers and control and delivery systems for malware without interruption.
Cybersecurity company said she had determined a set of domains with a similar name scheme (for example, gfast.duckdns (.) Org, njfast.Duckdns (.) Org), starting in August 2024, all decided on the same IP -Drass (“45.135.232 () 38”)) Proton66.
The use of DNS dynamic services such as DuckDNS also plays a key role in these operations. Instead of registering new domains every time, the attackers turn subdomena tied to one IP – which complicates the detection of the defenders.
“The domains in question were used to accommodate various malicious contents, including phishing pages and VBS scripts that serve as the initial stage of deployment of malware,” said Serchi Melnyk, a researcher. “These scenarios act as a second -stage tools that are limited to public and often open source rats.”
Although the VBS may seem outdated, it is still a tool for initial access due to compatibility with Windows systems and the ability to work silently in the background. The attackers use it to load the forklifts malware, bypassing antivirus tools and attachment to users’ regular activity. These light scenarios are often the first step in multi -stage attacks that later unfold rats, data theft or Keyloggers.
Physping pages were found to be legitimate Colombian banks and financial institutions, including Bankolam, BBVA, Banco Caja Social and Davivienda. Slugas, which is also known as Aguilaciega, Apt-C-36 and APT-Q-98, known for its orientation on legal entities in South America, in particular Colombia and Ecuador.
Defined sites are designed to collect users’ accounting data and other secret information. Coridic VBS loads located on infrastructure are equipped with the capabilities for encrypted files from a remote server, essentially acting as a commodity rats such as Asyncrat or Remcos Rat.
In addition, the VBS codes analyzed the overlapping from VBS-CRYPTER, the tool associated with the CRYPTER subscription service Cryptors and tools This is used for tightening and packaging VBS loads to avoid detection.
Trustwave said he also discovered a botten panel that allows users to “control infected machines, receive exploited data and interact with infected final points through a wide range of opportunities that are usually found in the rats.”
Disclosure occurs when Darktrace revealed the details of Blind Eagle, which focused on Colombian organizations since November 2024 using the shortcomings in Windows (CVE-2024-4345) to download and execute the useful load on the next scene, the behavior that was First documented On control in March 2025.
“The perseverance called and the ability to adapt its tactics even after the output, and the speed at which the group was able to continue to use pre -installed TTPS, emphasizes that timely management of vulnerability and patch application, although substantial, is not autonomous,” company is not autonomous protection, “company company, company company Company – Note.
