From 0e95328841680f05ee89030d18908e48228dc579 Mon Sep 17 00:00:00 2001
From: Mar-Pic <marpic268@gmail.com>
Date: Wed, 25 Mar 2026 14:43:28 +0100
Subject: [PATCH] Create readme

---
 cancoillotte/readme | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 cancoillotte/readme

diff --git a/cancoillotte/readme b/cancoillotte/readme
new file mode 100644
index 0000000..98d3cdf
--- /dev/null
+++ b/cancoillotte/readme
@@ -0,0 +1,24 @@
+Orange Cyberdefense CERT is observing since early 2026 an ongoing malvertising campaign leading to ScreenConnect RMM. 
+We track this cluster as Cancoillotte.
+Delivery infrastructure consist of domains spoofing:
+- AntiMicroX
+- Bandicam
+- CPU-Z
+- CrystalDiskMark
+- Defender Control
+- DNS Jumper
+- DS4Windows
+- Ferdium
+- GOM Player
+- mGBA
+- Process Hacker
+- SteamTools
+- tModLoader
+Such domains are often hosted on 2[.]59.134.97 (ASN 58212 - Dataforest Gmbh)
+Clicking on "Download" fetches a ZIP archive containing a ScreenConnect binary, from direct-download.giize[.]com.
+Most of the ScreenConnect C2 we observed are hosted on ASN 58212 as well:
+185[.]254.97.249
+176[.]96.137.225
+
+
+