Full Report
A novice cybercrime actor has been observed leveraging the services of a Russian bulletproof hosting (BPH) provider called Proton66 to facilitate their operations. The findings come from DomainTools, which detected the activity after it discovered a phony website named cybersecureprotect[.]com hosted on Proton66 that masqueraded as an antivirus service. The threat intelligence firm said it
Analysis Summary
# Threat Actor: Coquettte
## Attribution & Identity
* **Identification:** An emerging and amateur cybercrime actor.
* **Associated Groups:** Believed to be loosely tied to a broader hacking group known as **Horrid**.
* **Self-Description:** Claims to be a "19 year old software engineer, pursuing a degree in Software Development" on a personal website.
## Activity Summary
Coquettte is leveraging bulletproof hosting (BPH) services, specifically Proton66 (also linked to PROSPERO), to distribute malware and engage in other illicit activities. Their operations were exposed due to an operational security (OPSEC) failure (e.g., an open directory) on their infrastructure.
Primary activities include:
1. Distributing malware disguised as legitimate antivirus tools (e.g., a ZIP archive named "CyberSecure Pro.zip").
2. Running other websites selling guides for manufacturing illegal substances and weapons.
## Tactics, Techniques & Procedures
- **Distribution Lure:** Masquerading malicious payloads as legitimate software, specifically a fake antivirus service hosted on a phony website (`cybersecureprotect[.]com`).
- **Malware Staging/Delivery:** Distributing a ZIP archive containing a Windows installer, which fetches secondary payloads from a remote C2 server.
- **Loader Usage:** Deploying the **Rugmi** (aka Penguish) loader.
- **Infrastructure OpSec Failure:** Exposed malicious infrastructure due to amateur mistakes, such as leaving directories open.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the text.
## Targeting
* **Sectors:** Primarily involved in distributing malware intended for general computer users (implied by the malware used, though the fake AV site targets general users looking for security software). The hosting provider (Proton66/PROSPERO) has historically been used for campaigns distributing banking credential phishing pages.
* **Geography:** Not specified, although infrastructure relies on a Russian bulletproof hosting provider.
* **Victims:** Victims targeted by the deployed malware payloads (information stealers like Lumma, Vidar, and Raccoon) are generally end-users or organizations targeted by these stealer families. Specific organizational victims were not named in relation to Coquettte's current campaign.
## Tools & Infrastructure
* **Malware Families Used:**
* **Rugmi** (aka Penguish) loader.
* Final payloads include information stealers such as **Lumma**, **Vidar**, and **Raccoon**.
* The hosting provider (Proton66) has previously facilitated distribution for **GootLoader**, **Matanbuchus**, **SpyNote**, **Coper (aka Octo)**, and **SocGholish**.
* **Infrastructure:**
* **Hosting:** Russian bulletproof hosting provider **Proton66** (linked to **PROSPERO**).
* **Fake Distribution Site:** `cybersecureprotect[.]com` (used as a distribution hub, masquerading as antivirus).
* **C2 Server:** `cia[.]tf` (registered using the email `root@coquettte[.]com`).
## Implications
Coquettte represents a low-skill, emerging threat actor utilizing established illicit services (BPH) to distribute sophisticated secondary payloads (Rugmi loader). Their operations indicate a motivation combining financial gain (via information stealers) with other illicit activities (selling guides for illegal manufacturing). The actor's amateurish OPSEC failures provide valuable intelligence opportunities for defenders by exposing their development pipeline and infrastructure.
## Mitigations
- Implement strong endpoint detection and response capabilities capable of identifying known information stealers (Lumma, Vidar, Raccoon).
- Monitor for the initial execution chain: detection of ZIP archives masquerading as software installations or AV updates.
- Focus on detecting connections to known or emerging bulletproof hosting providers or newly registered, suspicious domains used for C2 communication (e.g., `cia[.]tf`).
- Leverage threat intelligence feeds tracking TTPs associated with emerging actors leveraging BPH services.