Historical OSINT - A Diversified Portfolio of Fake Security Software
Cybercriminals, continue, actively, launching, malicious, and, fraudulent, campaigns, further, spreading, malicious, software, potentially, exposing, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software.
In, this, post, we'll, profile, a, currently, active, portfolio, of, fake, security, software, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203; 94.228.209.195), are, also, the, following, malicious, domains:
hxxp://thebest-antivirus00.com
hxxp://virusscannerpro0.com
hxxp://lightandfastscanner01.com
hxxp://thebest-antivirus01.com
hxxp://thebestantivirus01.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://thebest-antivirus11.com
hxxp://antispyware-module1.com
hxxp://antispywaremodule1.com
hxxp://antivirus-toolsr1.com
hxxp://thebest-antivirus1.com
hxxp://thebest-antivirusx1.com
hxxp://thebestantivirus02.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://lightandfastscanner22.com
hxxp://prosecureprotection2.com
hxxp://virusscannerpro2.com
hxxp://antivirus-toolsr2.com
hxxp://thebest-antivirusx2.com
hxxp://thebestantivirus03.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://antispyware-module3.com
hxxp://antispywaremodule3.com
hxxp://virusscannerpro3.com
hxxp://windowsantivirusserver3.com
hxxp://thebest-antivirusx3.com
hxxp://thebestantivirus04.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://antispyware-scann4.com
hxxp://antivirus-toolsr4.com
hxxp://thebest-antivirusx4.com
hxxp://thebestantivirus05.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://thebest-antivirusx5.com
hxxp://remove-spyware-16.com
hxxp://lightandfastscanner66.com
hxxp://antispywaremodule6.com
hxxp://antispyware-module7.com
hxxp://antispywaremodule7.com
hxxp://antivirus-toolsr7.com
hxxp://antispyware-scann8.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antispyware-module9.com
hxxp://antispywaremodule9.com
hxxp://antispyware-scann9.com
hxxp://virusscannerpro9.com
hxxp://antivirus-toolsr9.com
hxxp://thebest-antivirus9.com
hxxp://antiviruspro1scan.com
hxxp://antiviruspro2scan.com
hxxp://antiviruspro7scan.com
hxxp://antiviruspro8scan.com
hxxp://antiviruspro9scan.com
hxxp://antispyware6sacnner.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://prosecureprotection2.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://windowsantivirusserver3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antivirus-toolsr9.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (94.228.209.195), are, also, the, following, malicious, domains:
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://run-virusscanner4.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
Related, fraudulent, and, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203), are, also, the, following, malicious, domains:
hxxp://anti-virus-system0.com
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://perform-antivirus-scan-1.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://antivirus-system1.com
hxxp://performspywarescan1.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://antivirus-scanner-3.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://gloriousantivirus2014.com
hxxp://run-virusscanner4.com
hxxp://smart-pcscanner05.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://perform-virus-scan5.com
hxxp://perform-antivirus-scan-6.com
hxxp://antivirus-scanner-6.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://antivirus-scan-server6.com
hxxp://perform-antivirus-scan-7.com
hxxp://perform-antivirus-test-7.com
hxxp://antivirus-win-system7.com
hxxp://antivirus-for-pc-8.com
hxxp://perform-antivirus-scan-8.com
hxxp://perform-antivirus-test-8.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://perform-antivirus-test-9.com
hxxp://perform-virus-scan9.com
hxxp://antispywareinfo9.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
hxxp://antispyware06scan.com
hxxp://antispywareinfo9.com
hxxp://antivirus-for-pc-2.com
hxxp://antivirus-for-pc-4.com
hxxp://antivirus-for-pc-6.com
hxxp://antivirus-for-pc-8.com
hxxp://antiviruspro8scan.com
hxxp://extra-antivirus-scan1.com
hxxp://extra-security-scanb1.com
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
hxxp://super-scanner-2004.com
hxxp://top-rateanrivirus0.com
hxxp://topantimalware-scanner7.com
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
In, this, post, we'll, profile, a, currently, active, portfolio, of, fake, security, software, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203; 94.228.209.195), are, also, the, following, malicious, domains:
hxxp://thebest-antivirus00.com
hxxp://virusscannerpro0.com
hxxp://lightandfastscanner01.com
hxxp://thebest-antivirus01.com
hxxp://thebestantivirus01.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://thebest-antivirus11.com
hxxp://antispyware-module1.com
hxxp://antispywaremodule1.com
hxxp://antivirus-toolsr1.com
hxxp://thebest-antivirus1.com
hxxp://thebest-antivirusx1.com
hxxp://thebestantivirus02.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://lightandfastscanner22.com
hxxp://prosecureprotection2.com
hxxp://virusscannerpro2.com
hxxp://antivirus-toolsr2.com
hxxp://thebest-antivirusx2.com
hxxp://thebestantivirus03.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://antispyware-module3.com
hxxp://antispywaremodule3.com
hxxp://virusscannerpro3.com
hxxp://windowsantivirusserver3.com
hxxp://thebest-antivirusx3.com
hxxp://thebestantivirus04.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://antispyware-scann4.com
hxxp://antivirus-toolsr4.com
hxxp://thebest-antivirusx4.com
hxxp://thebestantivirus05.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://thebest-antivirusx5.com
hxxp://remove-spyware-16.com
hxxp://lightandfastscanner66.com
hxxp://antispywaremodule6.com
hxxp://antispyware-module7.com
hxxp://antispywaremodule7.com
hxxp://antivirus-toolsr7.com
hxxp://antispyware-scann8.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antispyware-module9.com
hxxp://antispywaremodule9.com
hxxp://antispyware-scann9.com
hxxp://virusscannerpro9.com
hxxp://antivirus-toolsr9.com
hxxp://thebest-antivirus9.com
hxxp://antiviruspro1scan.com
hxxp://antiviruspro2scan.com
hxxp://antiviruspro7scan.com
hxxp://antiviruspro8scan.com
hxxp://antiviruspro9scan.com
hxxp://antispyware6sacnner.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://prosecureprotection2.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://windowsantivirusserver3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://pro-secure-protection8.com
hxxp://windowsantivirusserver8.com
hxxp://antivirus-toolsr9.com
hxxp://antivirusv1tools.com
hxxp://antispyware10windows.com
hxxp://antispyware20windows.com
hxxp://antivirus-toolsvv.com
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (94.228.209.195), are, also, the, following, malicious, domains:
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://run-virusscanner4.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
Related, fraudulent, and, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (91.212.226.203), are, also, the, following, malicious, domains:
hxxp://anti-virus-system0.com
hxxp://run-antivirusscan0.com
hxxp://runantivirusscan0.com
hxxp://perform-antivirus-scan-1.com
hxxp://remove-spyware-11.com
hxxp://remove-virus-11.com
hxxp://antivirus-system1.com
hxxp://performspywarescan1.com
hxxp://run-virus-scanner1.com
hxxp://remove-spyware-12.com
hxxp://remove-virus-12.com
hxxp://delete-all-virus-22.com
hxxp://antivirus-scanner-3.com
hxxp://remove-spyware-13.com
hxxp://remove-virus-13.com
hxxp://runantivirusscan3.com
hxxp://run-virusscanner3.com
hxxp://remove-spyware-14.com
hxxp://remove-virus-14.com
hxxp://gloriousantivirus2014.com
hxxp://run-virusscanner4.com
hxxp://smart-pcscanner05.com
hxxp://remove-virus-15.com
hxxp://remove-all-spyware-55.com
hxxp://delete-all-virus-55.com
hxxp://perform-virus-scan5.com
hxxp://perform-antivirus-scan-6.com
hxxp://antivirus-scanner-6.com
hxxp://remove-spyware-16.com
hxxp://run-virus-scanner6.com
hxxp://run-virusscanner6.com
hxxp://antivirus-scan-server6.com
hxxp://perform-antivirus-scan-7.com
hxxp://perform-antivirus-test-7.com
hxxp://antivirus-win-system7.com
hxxp://antivirus-for-pc-8.com
hxxp://perform-antivirus-scan-8.com
hxxp://perform-antivirus-test-8.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan8.com
hxxp://run-virus-scanner8.com
hxxp://windowsantivirusserver8.com
hxxp://perform-antivirus-test-9.com
hxxp://perform-virus-scan9.com
hxxp://antispywareinfo9.com
hxxp://run-virus-scanner9.com
hxxp://run-virusscanner9.com
hxxp://antispyware06scan.com
hxxp://antispywareinfo9.com
hxxp://antivirus-for-pc-2.com
hxxp://antivirus-for-pc-4.com
hxxp://antivirus-for-pc-6.com
hxxp://antivirus-for-pc-8.com
hxxp://antiviruspro8scan.com
hxxp://extra-antivirus-scan1.com
hxxp://extra-security-scanb1.com
hxxp://run-antivirusscan0.com
hxxp://run-antivirusscan1.com
hxxp://run-antivirusscan3.com
hxxp://run-antivirusscan6.com
hxxp://run-antivirusscan8.com
hxxp://runantivirusscan0.com
hxxp://runantivirusscan3.com
hxxp://runantivirusscan4.com
hxxp://runantivirusscan9.com
hxxp://securepro-antivirus1.com
hxxp://super-scanner-2004.com
hxxp://top-rateanrivirus0.com
hxxp://topantimalware-scanner7.com
We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.
About Dancho Danchev
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
