mirror of
https://github.com/cert-orangecyberdefense/cti
synced 2026-06-08 14:45:26 +00:00
Mar-Pic
25 lines
716 B
Plaintext
25 lines
716 B
Plaintext
Orange Cyberdefense CERT is observing since early 2026 an ongoing malvertising campaign leading to ScreenConnect RMM.
|
|
We track this cluster as Cancoillotte.
|
|
Delivery infrastructure consist of domains spoofing:
|
|
- AntiMicroX
|
|
- Bandicam
|
|
- CPU-Z
|
|
- CrystalDiskMark
|
|
- Defender Control
|
|
- DNS Jumper
|
|
- DS4Windows
|
|
- Ferdium
|
|
- GOM Player
|
|
- mGBA
|
|
- Process Hacker
|
|
- SteamTools
|
|
- tModLoader
|
|
Such domains are often hosted on 2[.]59.134.97 (ASN 58212 - Dataforest Gmbh)
|
|
Clicking on "Download" fetches a ZIP archive containing a ScreenConnect binary, from direct-download.giize[.]com.
|
|
Most of the ScreenConnect C2 we observed are hosted on ASN 58212 as well:
|
|
185[.]254.97.249
|
|
176[.]96.137.225
|
|
|
|
|
|
|