The Splunk Threat Research Team has uncovered a widespread cyber campaign targeting Internet Service Provider (ISP) infrastructure providers on the West Coast of the United States and in China. Over 4,000 ISP-related IPs were explicitly targeted in this campaign.
The attack, believed to have originated from Eastern Europe, uses brute-force tactics to exploit weak credentials. It deploys crypto-mining payloads and info-stealing binaries across compromised networks.
Multiple Attack Techniques
The observed cyber operation employs multiple attack techniques, including:
- Credential abuse – Initial access is gained through brute-force attacks using well-known weak credentials.
- Data exfiltration – Stolen data is transmitted to command and control (C2) servers.
- Additional malware deployment – Compromised systems can be used to launch further cyber threats.
- Self-termination mechanisms – Malicious programs are designed to shut down automatically to evade detection.
- Persistence and entrenchment – Attackers disable remote access to maintain control over infected systems.
- Lateral movement – Pivot attacks are conducted within targeted CIDR ranges.
According to Splunk researchers, the perpetrators are stealthy, operating with minimal intrusion, using scripting languages such as Python and PowerShell—tools that allow them to function effectively under restricted environments and employ API calls (such as Telegram) to communicate with C2 servers.
How it works
Splunk researchers say the crooks behind this campaign use scripting-based techniques to limit their digital footprint, disable security defenses, and block remote access.
They used simple tools to install crypto-mining payloads and info-stealing malware, focusing on minimal intrusion to avoid detection. They primarily used scripting languages like Python and PowerShell, along with Telegram API for command and control (C2). The goal was crypto-mining, specifically targeting Monero (XMR). The attack chain began with initial access via Windows Remote Management (WINRM), often using brute-force techniques.
The attackers deployed a RAR SFX executable (mig.rdp.exe) that dropped files into C:\Windows\Tasks, including XMRig miners and Clipbanker malware. Clipbanker steals information from the clipboard, targets cryptocurrency wallet addresses, and sends data to a Telegram bot C2 server. The malware authors ensured persistence by installing services and modifying startup folders.
“These attackers are employing ‘just enough’ activity to operate undetected while maximizing access to victims’ processing power,” Splunk analysts noted—intelligence corroborated by Cisco Talos also validates the presence of this threat actor within targeted environments.
This campaign’s primary targets are ISP infrastructure providers on the U.S. West Coast and in China. Malefactors use the masscan tool to scan extensive IP address ranges, identifying vulnerable systems for brute-force attempts.
Defensive Measures and Splunk’s Response
In response to this threat, the Splunk Threat Research Team has released a set of security detections to help organizations identify indicators of compromise related to this campaign. These detections are included in the new Crypto Stealer Analytic Story, offering additional insights and tools for cybersecurity teams.
One key detection method involves identifying suspicious processes running from unusual file paths. Endpoint Detection and Response (EDR) tools play a key role in monitoring and mitigating these threats by focusing on anomalous process paths within endpoint data models.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.