Threat Research

Adversary infrastructures tracked in 2023

SekoiaIO

Sekoia.io’s TDR team tracked a sharp rise in adversary C2 infrastructure during 2023, identifying over 85,000 IP addresses used as C2 and monitoring widespread use of phishing-as-a-service, infostealers, and OSTs like Cobalt Strike. The report explains the proactive scanning, heuristics development (including TLS common-name checks), and continuous updates used to track evolving threats such as Stealc and MFA-relaying phishing platforms. #Stealc #EvilProxy

Keypoints

  • More than 85,000 IP addresses were identified as C2 servers in 2023, a >30% increase from 2022.
  • Proactive scanning against 260+ threat signatures uncovered malicious IPs, domains and URLs used for C2, phishing and delivery.
  • Phishing-as-a-Service (EvilProxy, NakedPages) and MFA-relaying kits drove a rise in adversary-in-the-middle compromises of Microsoft 365 accounts.
  • Infostealer distribution used resilient infrastructures (SEO-poisoned sites, malvertising, typosquatting) and moved from Raccoon/Vidar to Lumma and Stealc.
  • Stealc C2 infrastructure was highly decentralized and ephemeral (680+ unique IPs observed; most IPs active < 2 months), requiring frequent heuristic updates.
  • Detection heuristics included TLS common-name monitoring (ClearFake), content/design similarity checks for fake download pages, and reverse-engineering of DDoSia target distribution mechanisms.

MITRE Techniques

  • [T1583] Acquire Infrastructure – The intrusion set “consistently maintained and updated its infrastructure, including new domain names, IP addresses and websites.” [‘the intrusion set consistently maintained and updated its infrastructure, including new domain names, IP addresses and websites.’]
  • [T1071.001] Application Layer Protocol: Web Protocols – Threat actors used web-based C2 and customizable MalleableC2 configurations (Cobalt Strike) for command-and-control. [‘CobaltStrike is still a first choice from cybercriminals especially given its customization possibilities with MalleableC2.’]
  • [T1102] Web Service – Phishing platforms hid infrastructure behind Cloudflare/CDNs to mask origins and complicate proactive identification. [‘A growing trend among Phishing-as-a-Service platforms is to hide infrastructure behind Cloudflare’s content distribution network’]
  • [T1566] Phishing – Use of phishing kits and Phishing-as-a-Service offerings (EvilProxy, NakedPages) to capture credentials and session tokens. [‘Phishing-as-a-Service offerings, such as EvilProxy and NakedPages, progressively reduced the technical difficulty…’]
  • [T1557] Man-in-the-Middle – Adversary-in-the-middle phishing kits relayed MFA challenges to bypass multi-factor protections. [‘democratisation of phishing kits capable of relaying MFA challenges’]
  • [T1189] Drive-by Compromise – ClearFake injected malicious JavaScript into compromised sites to deliver payloads via drive-by downloads. [‘ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique.’]
  • [T1499] Network Denial of Service – The DDoS tool DDoSia was used to coordinate distributed denial-of-service campaigns by NoName057(16). [‘DDoSia… was and is still used by the pro-Russian hacktivist group NoName057(16) as of January 2024.’]

Indicators of Compromise

  • [IP address] C2 infrastructure – examples: “85,000+ IP addresses used as C2 servers in 2023”, “680+ unique IPs hosting Stealc C2”
  • [Domain / TLS common name] ClearFake C2 domains – examples: 921hapudyqwdvy[.]com, acotechgh[.]com, and over 80 additional C2 domains collected
  • [Domain] Fake/typosquatting sites used for distribution – examples: domains impersonating AnyDesk and ChatGPT, and 50+ game-mimicking domains observed
  • [Malware family] Named threats observed – examples: Stealc, Lumma, and additional families like Raccoon and Vidar

In 2023 the Sekoia.io TDR team scaled a multi-pronged technical monitoring pipeline: automated active scanning across signature sets for 260+ threats, telemetry correlation from XDR/SOC feeds, and custom heuristics to identify C2s, phishing kits and fake download pages. This included content- and favicon-similarity checks to detect typosquatting/impersonation pages, SEO-poison detection for malicious landing pages, and domain/IP tracking to enumerate and tag C2 servers across distributed infrastructures.

For evolving toolsets the team iterated heuristics rapidly: ClearFake C2 servers were proactively located by monitoring TLS certificate common names; Stealc tracking required frequent updates after three major default-configuration changes (Mar/Jul/Dec 2023) and relied on counting ephemeral C2 IPs to estimate actor activity; phishing-as-a-service platforms were detected by identifying proxy-based session relay patterns and Cloudflare-fronted domains used to hide infrastructure. Reverse engineering and automation were used to extract DDoSia/NoName057(16) target lists and adapt collection when target-transmission mechanisms changed.

Operationally, these procedures emphasized resilient detection tactics—combine passive telemetry with active scanning, maintain a living list of TLS CNs and domain templates, tune heuristics when C2 configurations change, and prioritize monitoring of ephemeral IPs and CDN-fronted domains. Applying these methods enabled continuous tracking of large, rapidly changing adversary infrastructures and supported timely takedown reports and IOC sharing with registrars and customers.

Read more: https://blog.sekoia.io/adversary-c2-infrastructures-tracked-in-2023/