Mirrors/cert-orangecyberdefense-cti
1
0
Fork 0
mirror of https://github.com/cert-orangecyberdefense/cti synced 2026-06-08 06:34:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
cert-orangecyberdefense-cti/cancoillotte
T
History
Mar-Pic 0e95328841 Create readme
2026-03-25 14:43:28 +01:00
..
iocs
Create iocs
2026-03-25 14:41:25 +01:00
readme
Create readme
2026-03-25 14:43:28 +01:00

readme 

Orange Cyberdefense CERT is observing since early 2026 an ongoing malvertising campaign leading to ScreenConnect RMM. 
We track this cluster as Cancoillotte.
Delivery infrastructure consist of domains spoofing:
- AntiMicroX
- Bandicam
- CPU-Z
- CrystalDiskMark
- Defender Control
- DNS Jumper
- DS4Windows
- Ferdium
- GOM Player
- mGBA
- Process Hacker
- SteamTools
- tModLoader
Such domains are often hosted on 2[.]59.134.97 (ASN 58212 - Dataforest Gmbh)
Clicking on "Download" fetches a ZIP archive containing a ScreenConnect binary, from direct-download.giize[.]com.
Most of the ScreenConnect C2 we observed are hosted on ASN 58212 as well:
185[.]254.97.249
176[.]96.137.225
Reference in New Issue View Git Blame Copy Permalink