{"id":232031,"date":"2026-05-26T12:55:01","date_gmt":"2026-05-26T12:55:01","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=232031"},"modified":"2026-05-26T12:55:02","modified_gmt":"2026-05-26T12:55:02","slug":"pivoting-on-a-malspam-infrastructure-delivering-js-malware-backed-by-bulletproof-networks","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/pivoting-on-a-malspam-infrastructure-delivering-js-malware-backed-by-bulletproof-networks\/","title":{"rendered":"Pivoting on a malspam infrastructure delivering JS malware backed by bulletproof networks"},"content":{"rendered":"
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Key findings<\/h4>
\u00a0<\/div>

\u00b7<\/span>\u00a0\u00a0During the month of March 2026, multiple malspam campaigns<\/b> were launched to distribute a JavaScript coded backdoor<\/b>.<\/span><\/p>

\u00b7<\/span>\u00a0 \u00a0<\/span><\/span>The targets of those campaigns were from all regions and sectors<\/b>, notably energy<\/b> and finance ministries<\/b>, including in the CIS region<\/b>.<\/span><\/p>

\u00b7<\/span>\u00a0 <\/span><\/span>We believe the campaigns to be financially motivated and operated for Email account compromised <\/b>(EAC) and\/or business email compromise<\/b> (BEC).<\/span><\/p>

\u00b7\u00a0<\/span>Both the IP used to send the spam, and the C2 of the JavaScript backdoor, were hosted on two distinct bulletproof networks; US-based GHOSTYNETWORKS<\/b>, and Seychelles based OMEGATECH<\/b>.<\/span><\/p>

\u00b7 <\/span>GHOSTYNETWORKS<\/span><\/b> can seemingly be considered with a high level of confidence to be a rebrand of OPTIBOUNCE<\/b> and thus be linked to the unfamous hosting provider AnonRDP<\/b>. It was notably plebiscite by more sophisticated threat actors like TeamPCP<\/b>.<\/span><\/p>

\u00b7<\/span>\u00a0\u00a0<\/span><\/span>Based on various open-source intelligence, OMEGATECH <\/b>seems to be yet another network created by hosting provider Virtualine<\/b>, advertised on underground forums.<\/span><\/p>

\u00b7\u00a0<\/span>\u00a0<\/span><\/span>Pivots on the threat actor's infrastructure unveiled previous malspam and malware activities from the end of 2025, also backed by other bulletproof solutions<\/b>.\u00a0\u00a0<\/span><\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Intrinsec's CTI services<\/h4>
\u00a0<\/div>

Organizations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.<\/p>

For this report, shared with our clients in March 2026, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.<\/p>

Intrinsec also offers various services around Cyber Threat Intelligence:<\/p>