Beyond the Breach: A New Malware-as-a-Service Campaign Deploys Stealthy Payloads
A new campaign has been observed within the malware-as-a-service (MaaS) ecosystem, where attackers employ a multi-stage delivery chain using PowerShell scripts hosted on external web servers. This technique conceals the final executables, delays investigations, and complicates infrastructure analysis. The initial stage involves PowerShell scripts that download intermediate loaders before executing the primary payload — for instance, a file named build.exe identified during analysis. This trojan establishes communication with the command-and-control server anodes[.]pro, which in the past two months alone has been linked to more than 60 malware samples, including the Amadey, Lumma, Luca, DeerStealer, and RedLine families, as well as Rugmi, BlackBasta, and DarkGate specimens.
Extended analysis via VirusTotal uncovered an additional DeerStealer sample leveraging the same C2 domain, enabling researchers to map the broader infrastructure. Associated domains include hugevcdn[.]pro, servicesmesh[.]pro, interconstructionsite[.]pro, zhuchengsantian[.]com, and others. These domains, registered through WebNIC and routed via Cloudflare, are deliberately shielded to hinder direct takedowns. A command server at 185.156.72[.]96 emerged as a central node in the campaign, hosting over 2,700 malicious files. This IP, alongside 185.156.72[.]2, is tied to AS61432 (TOV VAIZ PARTNER), an entity strongly suspected of operating within the bulletproof hosting ecosystem.
Attackers further exploit Amazon CloudFront, Amazon Global Accelerator, EC2, and GitHub for malware storage and delivery. On GitHub, researchers identified several active loaders, including NIOAHYWM.exe and OURDUBDV.exe, which connect to anodes[.]pro and multiport[.]shop. Overlapping SSL hashes suggest that CloudFront is likely being used as a proxy layer, redirecting traffic to the true C2 servers and obscuring their location.
Notably, despite law enforcement operations in May aimed at dismantling LummaStealer’s infrastructure, its activity has not diminished. On the contrary, Lumma remains one of the most in-demand tools among MaaS operators. The research highlights that attackers experimented with alternative loaders in June, yet the majority of campaigns continue to revolve around Lumma and Amadey, reaffirming the enduring demand for their ecosystems.
