Amateur Hacker Leverages Bulletproof Hosting Server to Spread Malware

April 3, 2025, 6:31 p.m.

Description

A novice cybercriminal, known as 'Coquettte', has been discovered using a Russian bulletproof hosting provider, Proton66, to distribute malware. The hacker's activities include deploying the Rugmi malware loader through a fake cybersecurity product website and selling guides for illegal substances and weapons. Coquettte is believed to be part of a loosely structured hacking collective called Horrid. The threat actor's infrastructure spans multiple domains and platforms, including GitHub, YouTube, and Last.fm. This network appears to serve as an incubator for aspiring cybercriminals, offering malware resources, hosting solutions, and a collaborative environment for underground hacking activities.

External References

https://www.infosecurity-magazine.com/news/coquettte-hacker-malware-bph/
https://otx.alienvault.com/pulse/67eec2fef6857d8d79dbb7e6
Tags
amadey
lumma stealer
vidar
rugmi
2025-04-03
rescoms
amateur hacker
proton66
cybercrime incubator
bulletproof hosting
fake antivirus
raccoon stealer v2
illegal guides
horrid collective

Date

  • Created: April 3, 2025, 5:18 p.m.
  • Published: April 3, 2025, 5:18 p.m.
  • Modified: April 3, 2025, 6:31 p.m.

Indicators

  • xn--xuu.ws
  • horrid.xyz
  • terrorist.ovh
  • meth.su
  • cybersecureprotect.com
  • coquettte.com
Download all indicators here!

Attack Patterns

  • Raccoon Stealer V2
  • Rugmi
  • Amadey - S1025
  • Rescoms
  • Lumma Stealer
  • Vidar
  • Coquettte

Additional Informations

  • Russian Federation