A group of unknown cybercriminals has been targeting internet service providers in China and on the West Coast of the United States. Their goal is to infect systems with malware that steals data and mines cryptocurrency. These operations have been uncovered by researchers at the Splunk Threat Research Team.

You might be interested in: Massive $1.5B Crypto Theft Shocks Market

How the Brute-Force Assault Unfolds

The attackers use weak passwords to break into servers, focusing on thousands of IP addresses from ISP networks. After they gain entry, they install different types of software that collect information, send data to external servers, and create ways to stay hidden on the compromised machines.

They also rely on scripting languages like Python and PowerShell to avoid detection. These tools let them run commands in restricted environments and even use services like Telegram for command-and-control (C2) functions.

Malware and Mining Software

Once the attackers have initial access, they use PowerShell to place several programs on the compromised system:

• Network Scanning Tools: Help them look for other potential targets on the network.
• Stealing Software: Captures screenshots, logs keystrokes, and grabs clipboard data—especially cryptocurrency wallet addresses (including BTC, ETH, LTC, and TRX).
• Cryptocurrency Miners: XMRig is one of the main tools they install, using the victim’s computing power to mine crypto.

Before they activate these malicious programs, they try to disable security features on the host to stop any miner detection services.

Data Exfiltration and Brute-Force Assault

The sensitive information the criminals gather is sent to a Telegram bot. They also deploy another binary that runs even more programs, including:

• Auto.exe: Fetches a password list (pass.txt) and a list of IP addresses (ip.txt) from the attackers’ server. The attackers then use these lists for brute-force attacks on other systems.
• Masscan.exe: A tool that scans large blocks of IP addresses for open ports, paving the way for further attacks.

Ongoing Threat

According to Splunk, the threat actors are focusing on ISP networks in specific regions of China and on the West Coast of the U.S., scanning and probing for weak spots to continue their attacks. By using masscan and similar tools, they can quickly identify vulnerable systems and attempt to break in with brute-force techniques.

Security teams are encouraged to strengthen their password policies, keep their systems patched, and monitor for suspicious activity. This helps prevent these types of attacks from spreading further and affecting critical infrastructure.