Key findings
· During the month of March 2026, multiple malspam campaigns were launched to distribute a JavaScript coded backdoor.
· The targets of those campaigns were from all regions and sectors, notably energy and finance ministries, including in the CIS region.
· We believe the campaigns to be financially motivated and operated for Email account compromised (EAC) and/or business email compromise (BEC).
· Both the IP used to send the spam, and the C2 of the JavaScript backdoor, were hosted on two distinct bulletproof networks; US-based GHOSTYNETWORKS, and Seychelles based OMEGATECH.
· GHOSTYNETWORKS can seemingly be considered with a high level of confidence to be a rebrand of OPTIBOUNCE and thus be linked to the unfamous hosting provider AnonRDP. It was notably plebiscite by more sophisticated threat actors like TeamPCP.
· Based on various open-source intelligence, OMEGATECH seems to be yet another network created by hosting provider Virtualine, advertised on underground forums.
· Pivots on the threat actor's infrastructure unveiled previous malspam and malware activities from the end of 2025, also backed by other bulletproof solutions.
Intrinsec's CTI services
Organizations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in March 2026, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients' existing tools (EDR, XDR, SIEM, …) through:
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
- Digital risk monitoring:
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
For more information, go to intrinsec.com/en/cyber-threat-intelligence/.
