Monday, June 16, 2025
HomeMalware52,000 Dangerous Command & Control Servers Take Down that Spreading Malware: It...

52,000 Dangerous Command & Control Servers Take Down that Spreading Malware: It Performs 2M Malicious Redirects a Day

Published on

SIEM as a Service

Follow Us on Google News

Around 52,000 Malicious Command & Control Severs has been taken down that continuously spreading Malware under well-documented infection chain called EITest.

EITest is a Sophisticated Malware infection chain that basically redirects users from a compromised website into exploit kit (EK) landing pages, social engineering schemes, and potential threats.

Its one of the oldest & largest infection chains, that performed a variety of dangerous infection by distributing ransomware, information stealers, and other malware.

- Advertisement - Google News

Recent Years EITest is one of the main sellers of malicious traffic to Exploit Kit (EK) operators and social engineering operations via compromised websites.

Also Read: Cloudflare Launches Spectrum to Protect Almost Entire Internet

EITest Infection History with Exploit Kit

Initially, during the period of 2017 researchers identified that it started using a variety of social engineering tactics and it was redirecting to a private EK known as Glazunov during 2013 and also its stared infecting rework infrastructure in the same year.

Later it directed into Angler Exploit Kit(EK) and the threat actors main motivation to spreading Zaccess Trojan and Glazunov was a private Exploit Kit(EK) used only by the EITest operators.

its reemerged again in 2014 with new infection pattern and started infecting with a new payload with 2 different categories

  • The actor is selling loads (infections) or
  • The actor is selling traffic (to other actors, a load seller, or both)
Accorinding to the Research that conducted by Proofpoint along with brillantit.com and abuse.ch, Based on EITest actor activity on underground forums and insights from Empire Exploit Kit(EK)  we confirmed that the actor was selling traffic. In 2014, we found that the actor was selling traffic in blocks of 50-70,000 visitors for US$20 per thousand, generating between $1,000 and $1,400 per block of traffic.

Recent Main infection chain via EITest mainly for social engineering, tech support scams that lead to eventually infected by the ransomware.

Malicious Servers take down by Sinkholing operation

Researchers create a new domain and Sinkholing (redirection of traffic from its original destination) the EITest operation that has been pointed to a new  IP address.

By generating those new domains, researchers were able to substitute the malicious server with a sinkhole in order to receive the traffic from the backdoors on the compromised websites.

Later they freeing them from the EITest C&Cs and their visitors from the resulting malicious traffic and injects.

The red box highlights the server we substituted with a sinkhole

Researchers analyzing the traffic using this Sinkholing operation and observe that sinkhole received almost 44 million requests from roughly 52,000 servers between  March 15 to April 4, 2018.

Aslo they decoding the malicious request and find the list of compromised domains as well as IP addresses and user agents of the users who had browsed to the compromised servers.

Those compromised websites are multiple content management systems and WordPress websites are the most infected websites.

Indicators of Compromise (IOCs)

IOC IOC Type Description
54dfa1cb[.]com|31.184.192.163 domain|ip EITest C&C (before sinkholing)
e5b57288[.]com|31.184.192.173 domain|ip EITest C&C (before sinkholing)
33db9538[.]com|31.184.192.173 domain|ip EITest C&C (before sinkholing)
9507c4e8[.]com|31.184.192.163 domain|ip EITest C&C (before sinkholing)
04d92810[.]com domain EITest Sinkhole
c84c8098[.]com domain EITest Sinkhole
e42d078d[.]com domain EITest Sinkhole
498296c9[.]com domain EITest Sinkhole
stat-dns[.com domain Seized domain controlling the DGA
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Unpatched IT Tool Opens Door – Hackers Breach Billing Software Firm via SimpleHelp RMM

Cybersecurity professionals and business leaders are on high alert following a confirmed breach of...

Fog Ransomware Uses Pentesting Tools to Steal Data and Launch Attacks

Fog ransomware incidents in recent years have exposed a dangerous new trend in cybercrime:...

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...