BreakglassIntelligence
Back to reports
highPhishing

Malware Intelligence Report

PublishedMarch 12, 2026
Threat Actors:Infrastructure-attribution cluster.
phishingagentteslac2aptspearphishing

Classification: TLP:AMBER Report Date: 2026-03-12 Analyst: fgbot Sample Reporter: abuse_ch

Executive Summary

This report documents a multi-stage AgentTesla credential-stealing campaign delivered via a heavily obfuscated JScript dropper disguised as a business "Request for Quote" document. The infection chain consists of four stages: a JScript dropper, an embedded PowerShell decryptor, a .NET reflective loader (DEV.dll), and the AgentTesla v3 final payload. The malware exfiltrates credentials, keystrokes, and clipboard data to an attacker-controlled SMTP server hosted in Ukraine. The operator exhibits low operational security, with plaintext credentials hardcoded in the payload and self-signed TLS certificates on the C2 mail server.

Sample Metadata

FieldValue
SHA256eba6c85e9ad11c6457780c7edfd5cc5807d8b88d0edb76866fd39540c4678361
MD5f49c10a3bd04f2f0312773be0cd9ea53
SHA126ae4e519f01347f5ffe13743c4e3e75f69cd46c
Submitted FilenameRequest for quote 77060.js
Stored Filenamef49c10a3bd04f2f0312773be0cd9ea53.js
File TypeASCII text / JScript
File Size1,343,328 bytes (1.3 MB)
First Seen2026-03-12 17:17:58 UTC
VT Detections22/76

Antivirus Detections (Selected)

EngineDetection Name
McAfeeDAgentTesla.AC
ESETJS/TrojanDropper.Agent.QAW
BitDefenderJS:Trojan.Cryxos.15791
ALYacJS:Trojan.Cryxos.15791
GDataJS:Trojan.Cryxos.15791
FortinetJS/Formbook.JAE!tr
KasperskyHEUR:Trojan-Downloader.Script.Generic

Infection Chain Overview

The malware uses a four-stage infection chain designed to frustrate static analysis and sandboxing. Each stage decrypts or reflectively loads the next, maintaining only a minimal footprint on disk at each step.

Stage 0: JScript Dropper (.js, 1.3MB)
    └─> Stage 1: PowerShell Decryptor (.ps1, ~980KB, embedded in JS)
            └─> Stage 2: .NET Reflective Loader (DEV.dll, 47KB, embedded in PS1)
                    └─> Stage 3: AgentTesla Final Payload (240KB .NET PE, injected)

Stage 0: Initial JScript Dropper

File: f49c10a3bd04f2f0312773be0cd9ea53.js (submitted as "Request for quote 77060.js") Size: 1,343,328 bytes

Obfuscation Technique

The JScript dropper is heavily obfuscated using a string-array rotation technique broadly similar to that produced by obfuscation tools in the ObfuscatorIO family. Key characteristics:

  • 565-entry rotation string table stored in var AR=[...] — a large array of encoded strings that the runtime decodes on demand.
  • String decoder function r() performs index arithmetic against the rotation table.
  • String lookup function A() wraps r() to resolve all string references at execution time, preventing static string extraction from source alone.
  • Initializer function C() seeds the rotation state prior to any payload execution.

COM Object References

The dropper references the following COM/ActiveX objects, indicating its environmental requirements and capabilities:

COM ProgIDPurpose
WScript.ShellCommand execution, registry write, shortcut creation
ADODB.StreamBinary file I/O for writing embedded payloads
MSXML2.DOMDocumentXML/base64 parsing utility
PowerShellStage 1 PS1 execution
VBScript.RegExpString manipulation during deobfuscation

Execution Flow

  1. C() initializes the string rotation table.
  2. A() / r() decode all runtime strings on demand.
  3. ExecutePayload() orchestrates the following actions:
    • Writes the embedded Stage 1 PowerShell script to a .ps1 file in %TEMP%.
    • Launches PowerShell with -ExecutionPolicy Bypass -NonInteractive -WindowStyle Hidden via WScript.Shell.
    • Creates a .lnk shortcut in the Windows Startup folder for persistence.
    • Writes a registry Run key (HKCU\...\Run\GLOZVJ) pointing to the installed payload.

The dropper's large file size (1.3 MB) is primarily attributable to the embedded, base64-encoded Stage 1 PowerShell script (~980 KB).

Stage 1: Multi-Stage PowerShell Decryptor

Embedded in: Stage 0 JScript string table (base64-encoded) Decoded size: ~980 KB Type: PowerShell script

Description

The PowerShell script includes the comment header "Multi-Stage Rotational XOR Decryption Framework", a deliberate naming convention that describes its own architecture. It implements a five-sub-stage decryption pipeline:

Sub-StageVariable / ComponentRole
1$securecontainerHolds the encrypted binary blob (~962 KB, base64-encoded)
2Base64 reconstruction moduleDecodes $securecontainer into raw bytes
3Rotational XOR decryptorApplies key-rotating XOR cipher to produce the Stage 2 PE
4$masterdecoderOrchestrates sub-stages 2 and 3
5$executionhandlerInvokes the resulting PE in memory via Invoke-Expression

Rotational XOR Cipher

The XOR decryption algorithm uses a rotating key position rather than a simple repeating XOR. The key position for each byte is computed as:

keyPosition     = (bytePos + rotationTracker) % keyLen
rotationTracker = (rotationTracker + key[keyPosition]) % 7

This rotation means that the effective key byte applied to each ciphertext byte depends on all preceding decryption state, making brute-force keyspace attacks without the full key impractical.

XOR Key Material

EncodingValue
Base64VRbDCXBbSgCtUEyICdn420qmiFD2vr/A6GgKzTP1sE4=
Hex5516c309705b4a00ad504c8809d9f8db4aa68850f6bebfc0e8680acd33f5b04e

Stage 2: .NET Reflective Loader (DEV.dll)

Size: 47 KB Format: PE32 .NET DLL PE Sections: 4 Assembly GUID: ef3c7d6a-da4e-4ac2-9b35-d57b6ca04251

Identification

AttributeValue
NamespaceDEV
ClassDOWN
Entry MethodSHOOT

The loader is a compact .NET DLL whose sole purpose is to inject the Stage 3 AgentTesla payload into a host process using reflective loading techniques.

Injection Mechanism

  • Uses LoadLibraryA and GetProcAddress via P/Invoke to locate shellcode execution primitives in native Windows DLLs.
  • The DEV.DOWN.SHOOT method orchestrates process-hollowing into the injection target.
  • Injection target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe — a legitimate signed Microsoft .NET utility chosen to blend in with normal system activity.

Persistence Monitoring

The loader implements a Start-MonitoringCycle loop that polls for the presence of the Aspnet_compiler.exe process every 5 seconds. If the process is not found (e.g., killed by the user or an AV product), the loader re-injects the payload automatically. This watchdog mechanism significantly complicates manual remediation.

Stage 3: AgentTesla Final Payload

Size: 240 KB Format: PE32 GUI .NET assembly PE Sections: 3 Assembly GUID: db0ffc43-fde8-4e4a-8ebf-2d30cae27e9c Delivery: Process-hollowed into Aspnet_compiler.exe

Overview

AgentTesla is a commercially sold and widely-distributed .NET-based information stealer and keylogger, operating as Malware-as-a-Service (MaaS). This sample is consistent with AgentTesla v3 with SMTP exfiltration mode. The payload was fully decompiled via ILSpyCMD, allowing complete extraction of configuration and capability data.

AgentTesla Configuration (Extracted)

The following configuration values were extracted directly from the decompiled .NET assembly:

ParameterValue
EnableKeyloggerTrue
EnableClipboardLoggerTrue
EnableScreenLoggerFalse
EnableTorPanelFalse
EnableCookiesFalse
EnableContactsFalse
DeleteBackspaceFalse
KeyloggerInterval20 minutes
ScreenInterval20 minutes
LogType1
SmtpSSLFalse
SmtpPort587
SmtpAttachFalse
SmtpServermail.cottondreams.org
SmtpSenderpaid@cottondreams.org
SmtpPasswordPayday2025
SmtpReceiverreceive1@cottondreams.org
AppAddStartupFalse
StartupEnvNameappdata
StartupDirectoryNameGLOZVJ
StartupInstallationNameGLOZVJ.exe
StartupRegNameGLOZVJ
PublicUserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Note: Startup persistence is configured within the payload but AppAddStartup is set to False, indicating the JS dropper (Stage 0) handles persistence independently via the LNK and registry Run key mechanisms described above.

Capabilities

Keylogging

AgentTesla installs a low-level keyboard hook (WH_KEYBOARD_LL) to capture all keystrokes system-wide. Captured keystrokes are buffered and transmitted every 20 minutes via SMTP. Email subject prefix: KL.

Clipboard Monitoring

The payload registers as a clipboard viewer using SetClipboardViewer / ChangeClipboardChain to intercept clipboard contents continuously. Clipboard data is included in exfiltration emails.

Screen Capture

Screen capture capability (CopyFromScreen) is present in the compiled code but disabled in this sample configuration (EnableScreenLogger = False). Email subject prefix when active: SC.

Credential Stealing

The payload targets a broad range of credential stores. Stolen credentials are packaged and emailed with subject prefix PW.

Chromium-Based Browsers

Chrome, Edge Chromium, Chromium, Opera, Vivaldi, Brave, Yandex Browser, Coccoc, Torch, Kometa, Orbitum, Coowon, Sputnik, Uran, Sleipnir 6, Elements Browser, 360 Browser, Liebao Browser

Mozilla-Based Browsers

Firefox, Waterfox, CyberFox, PaleMoon, K-Meleon, Postbox, Flock, Thunderbird

Legacy / Other Browsers

Internet Explorer, Microsoft Edge Legacy, UC Browser, Safari for Windows, QQ Browser, Falkon Browser

Email Clients

Microsoft Outlook (Office versions 11 through 16), Foxmail, Opera Mail, eM Client, IncrediMail, Eudora

FTP Clients

FileZilla (via recentservers.xml), CoreFTP, WinSCP, FlashFXP, FTP Navigator, SmartFTP, WS_FTP (3DES-encrypted credentials), FTP Commander, FTPGetter

VPN Clients

OpenVPN, NordVPN

Messaging / Token Theft

Discord (session token extraction from local storage files)

Victim Fingerprinting

Prior to exfiltration, the payload collects the following victim system information and includes it in each email:

  • Computer name
  • Public IP address (via IpApi geolocation service)
  • Operating system version

Anti-Analysis Techniques

TechniqueDescription
Process injectionPayload runs inside signed Aspnet_compiler.exe, not standalone
Multi-layer obfuscationFour-stage chain: JS → PS1 → .NET loader → .NET payload
Process watchdogRe-injection if Aspnet_compiler.exe is terminated
TLS version permissivenessTLS 1.0, 1.1, and 1.2 all enabled; certificate validation bypassed
In-memory executionStages 1–3 never written to disk as standalone files

C2 Infrastructure

Primary Domain: cottondreams.org

AttributeValue
Resolves To31.222.235.198
CountryUkraine (Kyiv)
ASNAS202302
ISP / OrgNETH LLC
RegistrarNameCheap, Inc.
Domain Created2024-03-24
Domain Expires2026-03-24
Nameserverscosmin.ns.cloudflare.com, jacqueline.ns.cloudflare.com
SPF Recordv=spf1 ip4:31.222.235.198 ~all
MX Recordmail.cottondreams.org (priority 10)
VT ReputationMalicious (CRDF, CyRadar, Forcepoint, Fortinet:spam, Seclookup, Webroot, alphaMountain)

The domain was registered approximately two years before the sample was first observed, suggesting either long-term infrastructure investment or repurposed hosting.

Open Services on 31.222.235.198 (Shodan)

PortProtocolServiceNotable Details
21/tcpFTPProFTPD"220 ProFTPD Server (Debian)"
22/tcpSSHOpenSSH 8.9p1Ubuntu 3ubuntu0.13
25/tcpSMTPExim 4.95STARTTLS; fake cert (CN=etc, O=CompanyName, C=EE)
80/tcpHTTPnginx 1.28.0FASTPANEL default hosting page
110/tcpPOP3DovecotCN=dedaGLmj.netx.com.ua
143/tcpIMAPDovecotCN=dedaGLmj.netx.com.ua
443/tcpHTTPSnginx 1.28.0FASTPANEL (CN=parking, O=FASTPANEL)
465/tcpSMTPSExim 4.95SSL; fake cert
587/tcpSMTP/STARTTLSExim 4.95Active C2 exfiltration port
993/tcpIMAPSDovecotCN=dedaGLmj.netx.com.ua
995/tcpPOP3SDovecotCN=dedaGLmj.netx.com.ua
7777/tcpHTTPnginxWeb panel / application
8888/tcpHTTPnginx302 redirect

Operator OPSEC Failures

The operator demonstrated several significant operational security failures:

  1. Hardcoded SMTP credentials in plaintext. The password Payday2025 is stored unencrypted in the .NET PE and is extractable without executing the sample in a sandbox — any static .NET decompiler recovers it directly.

  2. Fake TLS certificates on mail server. Ports 25, 465, and 587 on the C2 host present a self-signed certificate with placeholder values (C=EE, CN=etc, L=Tallinn, O=CompanyName), a clear network indicator detectable by TLS inspection tools.

  3. Dovecot SSL certificate leaks alternate hostname. The IMAP/POP3 services (ports 110, 143, 993, 995) present a certificate with CN=dedaGLmj.netx.com.ua, revealing an alternate hostname on the same IP that can be used for pivot searches and attribution.

  4. FASTPANEL hosting control panel exposed. The nginx default page on ports 80 and 443 is the FASTPANEL web hosting control panel with no domain configured, confirming the server is a rented VPS on Ukrainian hosting infrastructure with minimal hardening.

IndicatorTypeNotes
dedaGLmj.netx.com.uaHostnameAlternate hostname on 31.222.235.198, leaked via Dovecot SSL cert
netx.com.uaDomainUkrainian hosting provider domain

VirusTotal pivot on 31.222.235.198 reveals at least 10 additional malware samples communicating with this infrastructure, including filenames: advise invoice P100186803.exe, CRYPTED.exe, Anglophile.exe, wbt7azg.exe. These are consistent with ongoing AgentTesla SMTP exfiltration campaigns operated from the same server.

MITRE ATT&CK Mapping

Technique IDNameImplementation
T1566.001Phishing: Spearphishing AttachmentJS file delivered as "Request for quote" lure targeting procurement/finance
T1059.007Command and Scripting Interpreter: JavaScriptJScript dropper (Stage 0)
T1059.001Command and Scripting Interpreter: PowerShellPowerShell launched with -ExecutionPolicy Bypass -WindowStyle Hidden
T1140Deobfuscate/Decode Files or InformationMulti-stage base64 + rotational XOR decryption pipeline
T1027Obfuscated Files or Information565-entry string-array rotation obfuscation in JScript
T1027.002Obfuscated Files or Information: Software PackingBase64-encoded PE embedded within PS1 script
T1055Process InjectionReflective .NET injection into Aspnet_compiler.exe
T1055.004Process Injection: Asynchronous Procedure CallDEV.DOWN.SHOOT method using LoadLibraryA / GetProcAddress
T1547.001Boot or Logon Autostart Execution: Registry Run KeysHKCU\...\Run\GLOZVJ
T1547.009Boot or Logon Autostart Execution: Shortcut ModificationLNK shortcut written to Startup folder
T1056.001Input Capture: KeyloggingWH_KEYBOARD_LL low-level keyboard hook
T1115Clipboard DataSetClipboardViewer / ChangeClipboardChain
T1113Screen CaptureCopyFromScreen present but disabled in this build
T1555.003Credentials from Password Stores: Web BrowserChromium and Mozilla-based browser credential extraction
T1555Credentials from Password StoresEmail client and FTP client credential extraction
T1552.001Unsecured Credentials: Credentials in FilesFTP client configuration file parsing (e.g., FileZilla recentservers.xml)
T1041Exfiltration Over C2 ChannelSMTP exfiltration to receive1@cottondreams.org
T1071.003Application Layer Protocol: Mail ProtocolsSMTP on port 587 to mail.cottondreams.org
T1082System Information DiscoveryEnumerates OS version and computer name
T1614System Location DiscoveryPublic IP geolocation via IpApi
T1057Process DiscoveryGet-Process Aspnet_compiler watchdog check

Campaign Context

AttributeAssessment
Lure ThemeBusiness Email Compromise (BEC) — purchase order / request for quotation
Target DemographicProcurement, finance, and supply-chain personnel
File Naming Convention"Request for quote [number].js" — implies mass or semi-targeted distribution
First Observation2026-03-12 (this sample)
Domain Registration2024-03-24 — infrastructure nearly two years old
Campaign Scale10+ additional malware samples using same C2 IP
Business ModelLikely AgentTesla Malware-as-a-Service (MaaS) purchase with operator-supplied SMTP credentials

The campaign follows a well-established pattern for AgentTesla deployment: a socially-engineered email attachment impersonating a business document triggers a multi-stage dropper chain that ultimately installs a credential stealer configured to exfiltrate data via SMTP to an attacker-controlled mailbox. The use of Cloudflare nameservers for the C2 domain provides some degree of IP concealment for DNS lookups, though the actual mail server IP is hardcoded in the payload configuration.

Attribution

AttributeAssessment
Confidence LevelMEDIUM
Threat Actor TypeFinancially motivated cybercriminal
Suspected OriginLikely Nigerian/West African BEC actor based on campaign patterns (lure themes, tooling); infrastructure is Ukraine-hosted
MaaS OperatorUnknown — purchased or leased AgentTesla builder
Infrastructure HostNETH LLC, Ukraine (AS202302) — low-cost hosting frequently abused by threat actors
OPSEC LevelLOW — plaintext credentials in payload, fake TLS certificates, minimal infrastructure hardening
Campaign NameUnattributed — consistent with AgentTesla v3 SMTP exfiltration campaigns

Indicators of Compromise (IOCs)

File Hashes

TypeHash
SHA256eba6c85e9ad11c6457780c7edfd5cc5807d8b88d0edb76866fd39540c4678361
MD5f49c10a3bd04f2f0312773be0cd9ea53
SHA126ae4e519f01347f5ffe13743c4e3e75f69cd46c

Network Indicators

IndicatorTypeRole
cottondreams.orgDomainC2 / mail server domain
mail.cottondreams.orgHostnameSMTP C2 exfiltration endpoint
31.222.235.198IPv4C2 infrastructure IP (Ukraine, AS202302, NETH LLC)
paid@cottondreams.orgEmail addressSMTP sender (attacker-controlled)
receive1@cottondreams.orgEmail addressSMTP receiver (attacker inbox)

Encryption and Authentication Material

TypeValue
XOR Key (Base64)VRbDCXBbSgCtUEyICdn420qmiFD2vr/A6GgKzTP1sE4=
XOR Key (Hex)5516c309705b4a00ad504c8809d9f8db4aa68850f6bebfc0e8680acd33f5b04e
SMTP Credentialpaid@cottondreams.org / Payday2025

Host-Based Indicators

IndicatorTypeDetails
%APPDATA%\GLOZVJ\GLOZVJ.exeFile pathPersistence installation location
GLOZVJRegistry valueHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GLOZVJ
Aspnet_compiler.exeProcess nameInjection host process (C:\Windows\Microsoft.NET\Framework\v4.0.30319\)
%TEMP%\*.ps1File path patternStage 1 PowerShell dropper written to disk
%TEMP%\log.tmpFile pathKeylogger buffer file
ef3c7d6a-da4e-4ac2-9b35-d57b6ca04251.NET Assembly GUIDDEV.dll (Stage 2 reflective loader)
db0ffc43-fde8-4e4a-8ebf-2d30cae27e9c.NET Assembly GUIDAgentTesla payload (Stage 3)

Unique Strings

StringLocationSignificance
Payday2025Stage 3 .NET configSMTP authentication password
GLOZVJStage 3 .NET configInstallation / persistence directory and registry name
Multi-Stage Rotational XOR Decryption FrameworkStage 1 PS1 comment headerUnique string for YARA / memory detection
DEV.DOWN.SHOOTStage 2 .NET method signatureUnique .NET method path for detection

Detection and Response Guidance

Network-Based Detection

  • Block or alert on SMTP connections to mail.cottondreams.org / 31.222.235.198:587.
  • Alert on TLS certificates with CN=etc, O=CompanyName, C=EE on SMTP ports (indicator of fake cert on attacker mail server).
  • Monitor for DNS queries to cottondreams.org or dedaGLmj.netx.com.ua.

Endpoint-Based Detection

  • Alert on WScript.exe spawning powershell.exe with -ExecutionPolicy Bypass -WindowStyle Hidden.
  • Monitor for .ps1 file creation in %TEMP% followed by PowerShell execution.
  • Detect new .lnk files appearing in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\.
  • Alert on registry write to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with value name GLOZVJ.
  • Monitor Aspnet_compiler.exe for unusual network activity or parent processes other than .NET tooling.
  • File creation at %APPDATA%\GLOZVJ\GLOZVJ.exe is a high-confidence indicator of compromise.

YARA Detection Opportunities

  • String "Multi-Stage Rotational XOR Decryption Framework" in PowerShell scripts or memory.
  • .NET assembly GUID ef3c7d6a-da4e-4ac2-9b35-d57b6ca04251 (DEV.dll loader).
  • .NET assembly GUID db0ffc43-fde8-4e4a-8ebf-2d30cae27e9c (AgentTesla payload).
  • String "DEV.DOWN.SHOOT" in memory or file scans.
  • Combination of "GLOZVJ" and "cottondreams.org" in the same PE.

Remediation Steps

  1. Isolate the affected host immediately.
  2. Terminate Aspnet_compiler.exe processes not originating from legitimate .NET compilation workflows.
  3. Delete %APPDATA%\GLOZVJ\GLOZVJ.exe and the GLOZVJ directory.
  4. Remove the registry Run key HKCU\...\Run\GLOZVJ.
  5. Remove any .lnk files from the Startup folder not placed by the user.
  6. Delete any *.ps1 files from %TEMP%.
  7. Rotate all credentials for browsers, email clients, FTP clients, and VPN clients stored on the affected system — assume all were exfiltrated.
  8. Notify affected users and review inbound email filtering for .js attachments.

References

  • VirusTotal: SHA256 eba6c85e9ad11c6457780c7edfd5cc5807d8b88d0edb76866fd39540c4678361
  • Abuse.ch reporter submission, 2026-03-12
  • Shodan host report for 31.222.235.198
  • ILSpyCMD decompilation of Stage 3 .NET assembly
  • MITRE ATT&CK: https://attack.mitre.org/

Infrastructure Pivot: Extended Actor Infrastructure

Co-Hosted Domains on 31.222.235.198 (Active Pivots)

DomainRegistrationStatusNotes
cottondreams.orgNameCheap / CloudflareACTIVE C2Primary SMTP C2
gunsaldi.comNameCheap / CloudflareMALICIOUSSame registrar+NS combo; detected by CyRadar, Fortinet:spam, Seclookup
stackscripts.storeUnknownCurrently cleanCo-hosted; likely related
bulpoonl.topUnknownUnscanned.top TLD, suspicious name

Key finding: cottondreams.org and gunsaldi.com share identical registrar (NameCheap) and identical Cloudflare nameservers (cosmin.ns.cloudflare.com, jacqueline.ns.cloudflare.com), which is a strong actor-attribution cluster.

Historical IP Addresses for cottondreams.org

Date (approx)IPASNOrganizationCountryNotes
2026-03-1231.222.235.198AS202302NETH LLCUkraineCurrent C2
2026-01-xx5.252.153.82UnknownUnknownUnknownMigration hop
2025-10-xx83.217.209.216AS205775Neon Core Network LLCRussiaRussian VPS
2025-01-xx209.172.2.100AS19853OrangeHostUSAUS hosting
2024-10-xx46.175.145.195UnknownUnknownUnknownMigration hop
2024-10-xx46.175.145.91UnknownUnknownUnknownMigration hop
2024-10-xx91.219.60.131UnknownUnknownUnknownMigration hop
2024-04-xx163.123.181.69AS33387Nocix LLCUSAUS hosting
2024-03-xx165.73.244.93AS40676Psychz NetworksUSAUS hosting
2024-03-xx194.61.52.186AS202302NETH LLCUkraineSame ISP as current

Pattern: The operator consistently returns to NETH LLC (Ukraine, AS202302) hosting. Migration from US/Russian VPS to Ukrainian infrastructure. Domain has been active since March 2024.

NETH LLC / AS202302 Infrastructure Significance

  • AS202302 (NETH LLC, Kyiv, Ukraine) is a bulletproof/permissive hosting provider frequently cited in abuse reports
  • The domain cottondreams.org has been using this ASN since the domain's registration in March 2024
  • dedaGLmj.netx.com.ua — alternate hostname on same server, leaked via Dovecot SSL certificate; netx.com.ua is a Ukrainian web hosting brand
  • The server runs FASTPANEL control panel, typical of cheap shared Ukrainian VPS hosting

Report generated: 2026-03-12 | TLP:AMBER — share only with members of your organization and trusted partners

Share