Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers

Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts.
The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems.
The unidentified threat actors performed "minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised," the Cisco-owned company said in a technical report published last week.
"This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for C2 [command-and-control] operations."
The attacks have been observed leveraging brute-force attacks exploiting weak credentials. These intrusion attempts originate from IP addresses associated with Eastern Europe. Over 4,000 IP addresses of ISP providers are said to have been specifically targeted.
Upon obtaining initial access to target environments, the attacks have been found to drop several executables via PowerShell to conduct network scanning, information theft, and XMRig cryptocurrency mining by abusing the victim's computational resources.
Prior to the payload execution is a preparatory phase that involves turning off security product features and terminating services associated with cryptominer detection.

The stealer malware, besides featuring the ability to capture screenshots, serves akin to a clipper malware that's designed to steal clipboard content by searching for wallet addresses for cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX).
The gathered information is subsequently exfiltrated to a Telegram bot. Also dropped to the infected machine is a binary that, in turn, launches additional payloads -
- Auto.exe, which is designed to download a password list (pass.txt) and list of IP addresses (ip.txt) from its C2 server for carrying out brute-force attacks
- Masscan.exe, a multi masscan tool
"The actor targeted specific CIDRs of ISP infrastructure providers located on the West Coast of the United States and in the country of China," Splunk said.
"These IPs were targeted by using a masscan tool which allows operators to scan large numbers of IP addresses which can subsequently be probed for open ports and credential brute-force attacks."
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalPossible Username Enumeration
InformationalSec-Fetch-Site Header Has an Invalid Value
InformationalNon-Storable Content
InformationalContent-Type Header Empty
MediumInsecure HTTP Method
Free online web security scanner