GHOSTYNETWORKS (AS205759) and OMEGATECH (AS202412) Bulletproof Hosting Power Obfuscated JavaScript Backdoor Spam Campaign Targeting Energy, Automotive, FMCG, and Government Finance Across Ukraine, Russia, Poland, Germany, and Transnistria — Threadlinqs Intelligence
Threat ID: TL-2026-0617 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Attribution: Unattributed financially motivated operator (Intrinsec tracked) · FINANCIAL
Intrinsec CTI exposed a financially motivated, multi-wave malicious-spam campaign distributing a heavily obfuscated JavaScript backdoor via ZIP/RAR/ISO archive attachments. Adversaries route both the
Intrinsec's CTI team tracked a sustained, financially motivated spam-borne backdoor operation whose infrastructure footprint traces to mid-2025 and which surged into major distribution waves during March and April 2026. The adversaries deliberately segregated their malicious estate into two bulletproof autonomous systems — GHOSTYNETWORKS (AS205759) and OMEGATECH (AS202412) — using one to host spam-sending mail infrastructure and a second to host the JavaScript backdoor's command-and-control domain and a secondary spam-sending domain, providing the operators with operational resilience and a measure of hosting-takedown resistance.
GHOSTYNETWORKS LLC, originated as AS205759 and registered in Kentucky in January 2026, currently announces six IPv4 prefixes including 36.255.97.0/24, 43.228.157.0/24, 46.151.182.0/24, 64.89.160.0/24, 64.89.161.0/24, and 83.142.209.0/24. Intrinsec attributes GHOSTYNETWORKS with high confidence to a now-defunct Kentucky-registered network named OPTIBOUNCE that was previously tied to the long-documented bulletproof RDP provider AnonRDP. The same organizing principal, Daniel Mishayev, appears across multiple Kentucky-registered shell companies, each routinely flagged by spam-blocklist operators for abusive content. OMEGATECH (AS202412), nominally headquartered in the Seychelles, hosts the JS backdoor's C2 domain alongside a second spam-sending domain; Spamhaus assesses OMEGATECH as a rebrand or front for Virtualine, a Russia-based bulletproof hosting provider openly advertised on Russian-language underground criminal forums.
Delivery is mass phishing. Victims receive emails carrying ZIP, RAR, or ISO archives whose interiors contain a heavily obfuscated JavaScript stage (.js, .jse, or .mjs). When a user double-clicks the script and Windows Script Host (wscript.exe) interprets it, the deobfuscated stage fingerprints the host (hostname, username, OS version, network configuration), assigns the infection a unique per-machine identifier so the handler can deduplicate and steer victims, and opens an outbound HTTP-like channel to the C2. The implant deliberately speaks on non-standard TCP destination ports — 2002, 2004, and 7273 — that are unlikely to appear in routine endpoint network telemetry, and it masquerades its outbound requests by sending a legacy Internet Explorer user-agent string that imitates the residual long-tail of legitimate browser traffic. The combination of archived script delivery, non-standard ports, and forged user-agent is designed to evade default secure-email-gateway controls, network proxies, and out-of-the-box EDR network heuristics.
Targeting is unambiguously financially motivated and cross-sectoral. Confirmed victims include a major Ukrainian fast-moving-consumer-goods holding, a Russian oil-refining enterprise, automotive industrial groups in Poland and Germany, and the Ministry of Finance of the unrecognized breakaway state of Transnistria. The April 2026 follow-on wave broadened the target set to additional financially sensitive institutions consistent with business-email-compromise (BEC) staging. FBI's IC3 has reported BEC losses exceeding $3 billion in 2025, and Intrinsec's targeting profile aligns with the staging phase of a BEC or finance-fraud operation rather than espionage; targeting of energy and government finance entities nonetheless raises significant escalation risk.
Mitigation guidance from Intrinsec includes hardening secure-email gateways to block .js, .jse, and .mjs attachments and any ZIP, ISO, or RAR archives containing executable scripts; deploying network telemetry rules that flag outbound TCP traffic to uncommon destination ports such as 2002/2004/7273; reviewing endpoint policy to disable Windows Script Host where business-justifiable; and pairing technical controls with regular employee phishing-awareness simulations. Defenders should also block or alert on all six GHOSTYNETWORKS prefixes and the major OMEGATECH prefix ranges at perimeter and DNS-level
Weaknesses (CWE)
CWE-829, CWE-94, CWE-693
Target sectors: energy, oil-and-gas, automotive, fmcg, government, finance, manufacturing
Target regions: Ukraine, Russia, Poland, Germany, Transnistria, Eastern Europe, Central Europe
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 29 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, T1583, T1583.001, T1583.004, T1583.005, T1585, T1587.001, T1608.001, T1566.001, T1566, T1204.002