Bulletproof Hosts Fuel JS Malware Surge Arabian Post

(MENAFN- The Arabian Post) clearfix"> Hackers are using GHOSTYNETWORKS and OMEGATECH to sustain a global JavaScript malware operation that has targeted organisations across energy, finance, retail, automotive and government-linked sectors, underlining the expanding role of bulletproof hosting in large-scale email fraud.

The campaign, tracked across March 2026 activity, used malicious ZIP and RAR attachments to deliver an obfuscated JavaScript backdoor through malspam waves sent to victims in multiple regions. Targets included energy companies, finance ministries and commercial groups, with evidence pointing to financially motivated activity designed to support email account compromise and business email compromise.

The operation shows how relatively simple malware delivery can remain effective when supported by resilient infrastructure. The spam-sending servers and command-and-control systems were placed on two separate networks, complicating takedown and allowing attackers to distribute risk across different providers. GHOSTYNETWORKS, registered in the United States and operating under AS205759, was used to send spam. OMEGATECH, associated with AS202412 and a Seychelles-linked hosting footprint, was used for command-and-control and additional mail infrastructure.

Security analysts found that the March campaign began with spam waves on March 3 and March 5, followed by further activity on March 17 and March 24. One wave reached the professional email address of a senior technology executive at a Ukrainian distribution group. Another targeted Orsknefteorgsintez, a major oil-refining enterprise operating the Orsk Oil Refinery in Orenburg Oblast. Later activity reached organisations in Poland and Germany, including an automotive retail group, while April traffic included targeting of the Ministry of Finance of the Pridnestrovian Moldavian Republic, also known as Transnistria.

The emails used sender domains such as mail. talruit[.]com and mpwirerope[.]com, with infrastructure tied to IP addresses 83.142.209[.]64, 91.92.243[.]79 and 158.94.211[.]76. Attachments contained JavaScript files disguised as ordinary business documents, including purchase order and quotation-themed filenames. Once executed, the backdoor contacted its command server through non-standard ports including 2002, 2004, 2244, 3232, 6565, 7273 and 34567, sending system information and generating a unique identifier for infected machines.

See also SonicWall scans put firewalls on alert

The campaign fits a broader pattern in which attackers rely on JavaScript because it runs through built-in Windows scripting tools, avoids the need for software exploits and can pass through defences focused mainly on executable files. Such payloads have been used for years by initial-access brokers and malware operators, including groups that later deploy ransomware, credential theft tools or remote-access malware.

GHOSTYNETWORKS appears to have links to earlier abusive hosting activity. Its network includes prefixes flagged for abuse, and researchers assess it as connected with OPTIBOUNCE, a defunct network linked to AnonRDP. Some of the same infrastructure has been associated with other cybercrime operations, including TeamPCP, a financially motivated group that emerged in late 2025 and has been tied to cloud-native and software supply-chain attacks.

OMEGATECH presents a parallel concern. Its infrastructure has been linked to Virtualine, a Russia-based bulletproof hosting provider promoted on Russian-language underground forums. Analysts found that the network hosted the scan. aryamint[.]com command server used by the JavaScript backdoor, as well as mpwirerope[.]com. Separate intelligence indicated that the network hosted dozens of command-and-control servers on a single subnet, spanning multiple malware families.

Network telemetry also suggests that both providers supported wider malicious activity beyond the observed spam campaign. GHOSTYNETWORKS generated more than 30,000 honeypot hits during March, including scanning and brute-force attempts. OMEGATECH generated more than 642,000 hits in the same period, reflecting broader exposure across hostile infrastructure. The volume indicates that these networks are not isolated elements in one campaign but part of a larger ecosystem supporting cybercrime.

The victim profile strengthens the assessment that the operators were pursuing fraud. Business email compromise schemes typically exploit trusted email exchanges to redirect payments, manipulate invoices or obtain sensitive financial information. Email account compromise goes further by taking over genuine accounts, allowing attackers to monitor correspondence and intervene at the point where money is being transferred. Such attacks remain among the most costly forms of cybercrime, with annual reported losses running into billions of dollars.

See also TencShell raises enterprise malware risks

The targeting of finance ministries and energy companies is notable because both sectors handle high-value transactions and sensitive communications. Smaller state institutions and companies with limited email authentication controls may face elevated risk, especially where SPF, DKIM and DMARC enforcement is weak or inconsistently applied. The use of broad malspam also suggests that the operators are combining volume-based targeting with opportunistic follow-up, rather than relying on a single highly tailored intrusion.

MENAFN28052026000152002308ID1111180326