Cyber Security News

New Malware Strikes 4,000+ ISPs, Enabling Hacker Remote Access

A newly discovered malware campaign has compromised over 4,000 Internet Service Providers (ISPs) across the West Coast of the United States and China, granting hackers remote access to critical infrastructure.

The campaign, identified by the Splunk Threat Research Team, is believed to originate from Eastern Europe and employs a combination of brute-force attacks, cryptomining payloads, and advanced evasion techniques.

Attack Overview

The malware capitalizes on weak credentials to infiltrate ISP systems using brute-force methods.

Once inside, attackers deploy a range of malicious binaries such as mig.rdp.exe, x64.exe, and migrate.exe to execute cryptomining operations and steal sensitive information.

These payloads are capable of disabling security features, exfiltrating data via Command and Control (C2) servers (including Telegram bots), and pivoting to other targets within the compromised network.

The malware primarily exploits Windows Remote Management (WINRM) services for lateral movement.

It uses encoded PowerShell scripts to disable antivirus protections, terminate competing cryptominers, and establish persistence on infected systems.

Additionally, it modifies directory permissions to restrict user access and ensure its files remain undetected.

Remote AccessRemote Access
Enable Inheritance Permission of a Directory

Technical Details

The campaign employs self-extracting RAR archives (SFX) to simplify deployment.

For instance, the mig.rdp.exe payload drops multiple files including batch scripts (ru.bat, st.bat) and executables (migrate.exe) which disable Windows Defender’s real-time monitoring and add malicious exceptions to avoid detection.

Another component, MicrosoftPrt.exe, functions as a clipboard hijacker targeting cryptocurrency wallet addresses for Bitcoin (BTC), Ethereum (ETH), Litecoin (LTC), and others.

The malware also uses mass scanning tools, like masscan.exe to identify vulnerable IP ranges within ISP infrastructure.

Once identified, it leverages SSH or WINRM protocols to gain further access.

SSH Connection Credentials

The attackers utilize Python-compiled executables for automation, minimizing their operational footprint while maintaining high efficiency in restricted environments.

Artifacts such as Superfetch.exe (an XMRig cryptominer), IntelConfigService.exe (an AutoIt script for defense evasion), and MicrosoftPrt.exe have been flagged by researchers.

These files are often hidden in unconventional directories like C:\Windows\Tasks\ or C:\ProgramData\.

The malware also manipulates registry keys to disable Remote Desktop Protocol (RDP) services and log off active users to hinder remediation efforts.

This campaign highlights the growing sophistication of malware targeting critical infrastructure providers.

By combining cryptomining with credential theft and advanced persistence mechanisms, the attackers aim to maximize resource exploitation while evading detection.

The use of Telegram bots as C2 servers further complicates traditional network monitoring efforts.

Splunk has released a set of detection rules to help organizations identify suspicious activity linked to this campaign.

These include alerts for unusual file paths, WINRM-based PowerShell executions, and DNS queries associated with Telegram APIs.

As ISPs remain a critical backbone of digital connectivity, this attack underscores the urgent need for robust cybersecurity measures.

Organizations are advised to enforce strong password policies, monitor endpoint activity closely, and deploy advanced threat detection tools to mitigate risks associated with such sophisticated campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

8 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

8 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

8 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

8 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

12 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

13 hours ago