Needle Fleet — Nine Live Customer Panels Across Five ASNs Mapped After Public Disclosure
Needle Fleet — Nine Live Customer Panels Across Five ASNs Mapped After Public Disclosure
With thanks to Mikhail Kasimov (@500mk500) for the tip that expanded this investigation from one panel to a fleet. Mikhail replied to our April 20 Needle report with thirteen additional
:3000candidates. The fleet map below is built on his pointer. Any mistakes are ours, not the tipster's — please reach out if you spot any, or if you have prior reporting we've missed.
TL;DR
Two days after our original Needle report documented a single Needle MaaS panel on 178.16.54[.]109:3000, Mikhail Kasimov dropped thirteen additional :3000 IPs in reply. Nine of those responded on April 22, 2026 at 02:53 UTC with a <title>Needle</title> SPA and a healthy /api/v2/health endpoint. All nine serve different Vite bundle filenames with nine distinct SHA-256 hashes and nine distinct bundle sizes ranging from 598 KB to 1.22 MB — each deployment is separately compiled, confirming Needle operates a genuine multi-tenant MaaS model.
Two of the nine live panels (178.16.54[.]109 and 178.16.55[.]234) sit on adjacent IPs inside the same 178.16.54[.]0/23 prefix at OMEGATECH NL. The second of those panels came online on April 20, 2026 — the same day our disclosure was published. We treat that adjacency as a strong signal that the 178.16.54[.]0/23 range is Needle-vendor-operated infrastructure rather than customer-rented tenants, and we note that the original 178.16.54[.]109 panel has a 5.85-day continuous uptime and has not rebooted despite the public disclosure.
The remaining seven live panels span PROSPERO OOO (Russia, a known bulletproof hoster), DEDIK Services (Germany), Vultr (Netherlands), MHost LLC (Netherlands), and assorted RIPE / APNIC / US allocations. Panel uptimes range from 5.87 hours (newest) to 22.5 days (oldest), consistent with a steady one-to-three-day tenant-onboarding cadence across the last three weeks.
What This Report Adds to the Public Record
- Nine live Needle MaaS customer panels confirmed on April 22, 2026, with uptime, ASN, bundle filename and bundle SHA-256 for each — expanding the public footprint from the single
178.16.54[.]109panel documented on April 20. - Nine distinct Vite bundle hashes and nine distinct bundle sizes (598 KB to 1.22 MB), proving each customer deployment is a separate build rather than a shared install — the technical evidence for the multi-tenant MaaS model.
- Identification of
178.16.54[.]0/23at OMEGATECH NL as suspected Needle-vendor-operated infrastructure, hosting two adjacent panels on178.16.54[.]109and178.16.55[.]234. - A deployment timeline derived from each panel's
/api/v2/healthuptime field, showing steady new-panel spin-ups at a roughly one-to-three-day cadence between March 30 and April 21, 2026. - Four additional IPs from Kasimov's list that did not respond during our sweep (
195.160.220[.]49,82.38.96[.]253,94.103.91[.]192,34.225.141[.]85) — listed as a hold set for defender monitoring; they may represent panels rotated offline or firewalled against unexpected sources.
This is a follow-up, not a restatement. The original Needle platform anatomy — the Phorpiex/Trik delivery chain, the private Monero pool on 178.16.54[.]109:6060, the 8-blockchain wallet-drainer coverage, the "960 million credential servings" figure, and the full kill-chain — remains as documented on April 20. If you have prior reporting on any of the panels listed below, or on the Needle vendor's handle or Telegram presence, please reach out and we will update this post and credit the earlier source.
The Fleet — Nine Live Panels
Each entry below was verified on 2026-04-22 at 02:53 UTC from an investigation-posture host. Every live panel returns HTTP 200 on /, serves <title>Needle</title> in the root HTML, links to a Vite-built bundle under /assets/index-<hash>.js, and responds to /api/v2/health with {"status":"healthy","timestamp":"…","uptime":<seconds>}. All nine serve identical React SPA scaffolding with the same EN and RU internationalization strings and the same /api/v2/* endpoint shape.
| IP | Port | Bundle filename | Bundle size | SHA-256 (first 16) | Uptime | Online since | Hoster (country) |
|---|---|---|---|---|---|---|---|
| 193.24.123[.]23 | 3000 | index-BjaD_Mig.js | 964,486 | fd7a5672830559be | 22.5d | 2026-03-30 | PROSPERO OOO (RU) |
| 94.26.83[.]82 | 3000 | index-B6bVOv3H.js | 597,775 | 9eafcbaac10c8cec | 8.53d | 2026-04-13 | DEDIK Services Ltd (DE) |
| 95.179.181[.]208 | 3000 | index-BAV5k_oq.js | 1,110,784 | b3a6be7c03a61d4d | 7.41d | 2026-04-14 | Vultr / The Constant Company (NL) |
| 45.151.106[.]204 | 3000 | index-D2zEEBXu.js | 1,074,396 | ea7bfc01de74a567 | 6.97d | 2026-04-15 | MHost LLC (NL) |
| 178.16.54[.]109 | 3000 | index-ChPBnyA0.js | 913,304 | 9bd9bd7bc0b4d8db | 5.85d | 2026-04-16 | OMEGATECH (NL) |
| 144.31.151[.]223 | 3000 | index-w6ngVLoZ.js | 1,220,525 | 0439a5cf6512034a | 2.78d | 2026-04-19 | RIPE-allocated (NL) |
| 178.16.55[.]234 | 3000 | index-D4ALqQvC.js | 978,571 | 7aefe6967a37ef1f | 1.78d | 2026-04-20 | OMEGATECH (NL) |
| 130.12.180[.]135 | 3000 | index-B-R-2jkz.js | 984,427 | 12ae166110e8b7c3 | 12.2h | 2026-04-21 | Cogent-adjacent (US) |
| 209.17.118[.]17 | 3000 | index-tbD5QpFe.js | 911,193 | 760739aae8a244bc | 5.87h | 2026-04-21 | APNIC-allocated (AU) |
Every row in the table is a distinct build. Vite hashes the bundle filename from its contents, so different filenames already imply different bytes. Size variance (a 2.04× spread from smallest to largest) confirms it — two instances of the same source built minutes apart will produce identical byte-for-byte output, so the size difference reflects real source-level differences between tenant builds, most plausibly feature-tier or license-level differentiation baked in at compile time. The smallest bundle (598 KB on 94.26.83[.]82) is likely a stripped entry-tier deployment; the largest (1.22 MB on 144.31.151[.]223) is likely a full-feature tier.
We extracted per-bundle string sets — hard-coded URLs, Telegram handles, operator email addresses, build IDs — looking for cross-tenant identifiers the way CLICKSMOKE's JWTs identified operators. Needle's bundles leaked nothing of the kind. No hard-coded panel URLs, no tenant-specific Telegram handles, no emails, no operator aliases in minified code. The Needle vendor appears to have deliberately kept tenant identifiers server-side only, which is tighter OPSEC than most MaaS platforms we have analyzed.
The OMEGATECH /23 — Suspected Vendor Infrastructure
Two of the nine live panels — 178.16.54[.]109 and 178.16.55[.]234 — are inside the 178.16.54[.]0/23 range, both annotated as OMEGATECH in WHOIS, and sit one IP apart across the /24 boundary. This is not a pattern we would expect from independent customers. Customer tenants typically diversify hosting providers both as a business necessity (Needle's own customers don't want their panels clustered in a way that lets a single abuse report take out their whole book) and as an artifact of the sales funnel (customers bring their own VPS).
The alternative reading is that 178.16.54[.]0/23 contains Needle-vendor-operated infrastructure: a flagship panel plus a staging, mirror, or second-instance node. Two supporting observations:
178.16.55[.]234came online on 2026-04-20, the day our original Needle report was published. That is consistent with a vendor spinning up a mirror in response to public exposure — either preemptively (before their customers ask) or reactively (because the disclosure named178.16.54[.]109specifically).- Despite the April 20 disclosure,
178.16.54[.]109has not been rebooted. Its uptime is 5.85 days on April 22, placing its last boot at April 16 — four days before our report. An operator under active defensive pressure would typically cycle the panel; a vendor running it as their own flagship might leave it alone because other tenants have not asked them to move.
Neither observation is conclusive on its own, and both are consistent with alternative explanations (two unrelated customers happening to pick the same NL hoster, and a blasé operator who never saw the report). We are flagging the /23 as vendor-probable rather than vendor-confirmed. Investigators at OMEGATECH's upstream or at RIPE are in the best position to validate by pulling leasing records for the prefix.
Deployment Timeline — Steady Customer Onboarding
The /api/v2/health endpoint on each live panel returns a uptime field in seconds, which resolves to a panel-boot timestamp. Read as a deployment timeline, the nine live panels break down as follows:
- 2026-03-30 —
193.24.123[.]23(PROSPERO OOO, RU) - 2026-04-13 —
94.26.83[.]82(DEDIK, DE) - 2026-04-14 —
95.179.181[.]208(Vultr, NL) - 2026-04-15 —
45.151.106[.]204(MHost, NL) - 2026-04-16 —
178.16.54[.]109(OMEGATECH, NL) — the panel our April 20 report documented - 2026-04-19 —
144.31.151[.]223(NL) - 2026-04-20 —
178.16.55[.]234(OMEGATECH, NL) — spun up the day of our disclosure - 2026-04-21 —
130.12.180[.]135(US) and209.17.118[.]17(AU)
The gap between PROSPERO on March 30 and the next spin-up on April 13 is conspicuous — either there is a panel we are missing in that window, or there was a two-week pause between the flagship tenant and the next cohort. From April 13 onward the cadence is consistent: a new panel every one to three days. Two panels on April 21 within hours of each other suggest either two simultaneous customers or a vendor pre-provisioning capacity.
At this cadence, the fleet is actively growing. Defender teams monitoring the nine IPs today should expect the list to be non-exhaustive by the end of this week.
The Unreachable Four
Four of Kasimov's thirteen IPs did not respond during the April 22 sweep:
195.160.220[.]49:300082.38.96[.]253:300094.103.91[.]192:300034.225.141[.]85:3000
We are not calling these dead. Any of the four could be a panel that was online when Kasimov observed it and is now temporarily rotated offline, rebooted mid-sweep, firewalled against arbitrary source ASNs, or migrated to a new IP. Defender teams running watchlists should keep all four on a rolling recheck for the next 14 days before retiring them. If any come back live, we will update this post.
Relationship to the April 20 Report
The April 20 report focused on one Needle panel — 178.16.54[.]109 — and documented it end-to-end from the Phorpiex/Trik delivery worm through the wallet-drainer capability set, the private Monero mining pool on :6060, and the "960 million credential servings" telemetry figure. Nothing in this follow-up changes any of that. The single-panel deep dive remains correct for that panel, and the platform capabilities documented there apply (by design, since the bundle shape is consistent across all nine) to every panel listed here.
What this follow-up does change is the scale conversation. Defender priorities keyed on 178.16.54[.]109 alone do not cover the fleet. Blocklists, detection engineering, and threat-intel deliverables that cite Needle should be updated to include at minimum the nine IPs in the fleet table above. Credentials, wallets, and browser cookies exfiltrated from victims will be processed on whichever panel belongs to the customer who ran the worm — not only on the one panel we originally documented.
Verification and Raw Artifacts
Per-panel HTTP header dumps, root HTML bodies, /api/v2/health responses, bundle SHA-256 checksums, reproduction shell scripts, per-bundle unique-string listings, and the raw Vite bundles themselves are published for independent verification at:
Every live panel in the fleet table includes a reproduce.sh that re-fetches the root HTML, the health endpoint, and the bundle, then compares the bundle SHA-256 against the recorded value. A mismatch on a later run means the operator has rebuilt or redeployed — which is itself a useful signal.
IOCs
Live Needle MaaS panels, verified 2026-04-22 02:53 UTC:
http://130.12.180[.]135:3000
http://144.31.151[.]223:3000
http://178.16.54[.]109:3000
http://178.16.55[.]234:3000
http://193.24.123[.]23:3000
http://209.17.118[.]17:3000
http://45.151.106[.]204:3000
http://94.26.83[.]82:3000
http://95.179.181[.]208:3000
IPs on hold (unreachable during the April 22 sweep, do not retire yet):
195.160.220[.]49:3000
82.38.96[.]253:3000
94.103.91[.]192:3000
34.225.141[.]85:3000
Suspected Needle-vendor-operated range:
178.16.54[.]0/23 (OMEGATECH, NL)
Panel fingerprint (all nine):
- TCP 3000 open, HTTP/1.1
- Root HTML title:
Needle - Bundle URL pattern:
/assets/index-<random>.js - Health endpoint:
GET /api/v2/healthreturns{"status":"healthy","timestamp":"<ISO-8601>","uptime":<seconds>} - Bearer-JWT auth on
/api/v2/*authenticated endpoints, with the token stored inlocalStorage["auth_token"]client-side - CORS:
Access-Control-Allow-Origin: *
Recommendations for Defenders
- Add all nine live IPs to egress-blocklists, EDR threat-intel feeds, and DNS-level RPZ. Revisit weekly; the fleet is growing.
- Treat
178.16.54[.]0/23as a high-confidence Needle-vendor range for now. If a full /23 block is too broad, at minimum track both178.16.54[.]109and178.16.55[.]234as likely vendor infrastructure rather than disposable customer tenants. - Keep the four unreachable IPs on a 14-day rolling recheck rather than dropping them.
- Correlate against Phorpiex detections. The Needle platform is delivered via Phorpiex/Trik per the April 20 report; any Phorpiex infection since late March 2026 should be assumed to have been at risk of exfiltrating to one of these nine panels.
- Watch for new
:3000panels that match the fingerprint above — particularly any future appearance of the178.16.54[.]0/23prefix on adjacent IPs.
Disclosure
- OMEGATECH (NL) — for the
178.16.54[.]0/23range apparently hosting Needle-vendor infrastructure - PROSPERO OOO (RU) — via RIPE abuse contact for
193.24.123[.]23 - DEDIK Services Ltd (DE) — for
94.26.83[.]82 - Vultr / The Constant Company (NL) — for
95.179.181[.]208; Vultr historically responds to abuse reports and this is a soft target in the fleet - MHost LLC (NL) — for
45.151.106[.]204 - RIPE NCC — for the NL allocations above
- NL-CERT / NCSC-NL — for the six NL-hosted panels, given the concentration
- CERT-RU — for
193.24.123[.]23 - US-CERT / CISA — for
130.12.180[.]135
GHOST — Breakglass Intelligence "One indicator. Total infrastructure." Tipster credit: Mikhail Kasimov (@500mk500).