A newly discovered malware campaign has compromised over 4,000 Internet Service Providers (ISPs) across the West Coast of the United States and China, granting hackers remote access to critical infrastructure.
The campaign, identified by the Splunk Threat Research Team, is believed to originate from Eastern Europe and employs a combination of brute-force attacks, cryptomining payloads, and advanced evasion techniques.
Attack Overview
The malware capitalizes on weak credentials to infiltrate ISP systems using brute-force methods.
Once inside, attackers deploy a range of malicious binaries such as mig.rdp.exe, x64.exe, and migrate.exe to execute cryptomining operations and steal sensitive information.
These payloads are capable of disabling security features, exfiltrating data via Command and Control (C2) servers (including Telegram bots), and pivoting to other targets within the compromised network.
The malware primarily exploits Windows Remote Management (WINRM) services for lateral movement.
It uses encoded PowerShell scripts to disable antivirus protections, terminate competing cryptominers, and establish persistence on infected systems.
Additionally, it modifies directory permissions to restrict user access and ensure its files remain undetected.
Technical Details
The campaign employs self-extracting RAR archives (SFX) to simplify deployment.
For instance, the mig.rdp.exe payload drops multiple files including batch scripts (ru.bat, st.bat) and executables (migrate.exe) which disable Windows Defender’s real-time monitoring and add malicious exceptions to avoid detection.
Another component, MicrosoftPrt.exe, functions as a clipboard hijacker targeting cryptocurrency wallet addresses for Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), and others.
The malware also uses mass scanning tools, like masscan.exe to identify vulnerable IP ranges within ISP infrastructure.
Once identified, it leverages SSH or WINRM protocols to gain further access.
The attackers utilize Python-compiled executables for automation, minimizing their operational footprint while maintaining high efficiency in restricted environments.
Artifacts such as Superfetch.exe (an XMRig cryptominer), IntelConfigService.exe (an AutoIt script for defense evasion), and MicrosoftPrt.exe have been flagged by researchers.
These files are often hidden in unconventional directories like C:\Windows\Tasks\ or C:\ProgramData\.
The malware also manipulates registry keys to disable Remote Desktop Protocol (RDP) services and log off active users to hinder remediation efforts.
This campaign highlights the growing sophistication of malware targeting critical infrastructure providers.
By combining cryptomining with credential theft and advanced persistence mechanisms, the attackers aim to maximize resource exploitation while evading detection.
The use of Telegram bots as C2 servers further complicates traditional network monitoring efforts.
Splunk has released a set of detection rules to help organizations identify suspicious activity linked to this campaign.
These include alerts for unusual file paths, WINRM-based PowerShell executions, and DNS queries associated with Telegram APIs.
As ISPs remain a critical backbone of digital connectivity, this attack underscores the urgent need for robust cybersecurity measures.
Organizations are advised to enforce strong password policies, monitor endpoint activity closely, and deploy advanced threat detection tools to mitigate risks associated with such sophisticated campaigns.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
 across the West Coast of the United States and China.){kind=link}