{
	"id": "1d7783b5-df7b-42f5-ad9a-1eba125dcf57",
	"created_at": "2026-04-06T00:07:27.012557Z",
	"updated_at": "2026-04-10T03:33:20.572847Z",
	"deleted_at": null,
	"sha1_hash": "cb0d80de115a81e717825408c15f48c8c8ff7336",
	"title": "Active Lycantrox infrastructure illumination",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 463285,
	"plain_text": "Active Lycantrox infrastructure illumination\r\nBy Felix Aimé,\u0026nbsp;Maxime A.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-10-02 · Archived: 2026-04-05 22:46:34 UTC\r\nOn September 22, Citizenlab published a blog post regarding the use of Cytrox’s signature Predator spyware\r\nagainst the iPhone of the former Egyptian MP Ahmed Eltantawy. In August and September 2023, Ahmed\r\nEltantawy was targeted via network-based injection, redirecting him to malicious web pages when he visited\r\nnon-HTTPS sites, by exploiting a zero-day exploit chain (CVE-2023-41991, CVE-2023-41992, CVE-2023-\r\n41993) used to install Predator on iOS versions up to 16.6.1.\r\nCytrox has previously attracted attention for its involvement in the development of its Predator spyware for\r\ntargeting civil society. CitizenLab and META have released a few blog posts and reports delving into Cytrox and\r\nits affiliated cyber intelligence consortium, known as Intellexa. \r\nIn December 2021, we issued a FLINT report exploring potential connections between Cytrox customers\r\n(that we track under the Lycantrox intrusion set) of and Candiru customers (tracked under the Karkadann\r\nintrusion set), prompted by similarities in the infrastructure employed by their respective clientele to compromise\r\ntheir targets. This overlapping infrastructure may stem from shared customers utilizing both Cytrox and Candiru\r\ntechnologies.\r\nSEKOIA.IO is actively monitoring hundreds of malicious infrastructure clusters to protect its customers. In\r\nlight of the recent Citizenlab blogspot and in solidarity with the efforts against cyber mercenaries, we have chosen\r\nto shed light on one of the infrastructure clusters employed by Lycantrox, potentially for compromising their\r\ntargets.\r\nhttps://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nPage 1 of 8\n\nWhile the domain patterns look like entry points for exploits kits, the scale of this infrastructure suggests a\r\nbroader use of it. However, we lack concrete evidence to confirm this.\r\nInfrastructure illumination\r\nThe infrastructure used by the Lycantrox consists of VPS hosted in several autonomous systems. Each\r\nLycantrox user seems to run his own instances of VPS and manage his own domain name related to it. When\r\nlooking precisely at the services listed on the instances, most of the time there are two open ports, the SSH used\r\nfor the administration and a 443 managed by Nginx. On several occasions, only the 443 is available. \r\nUnlike most of the C2s listening on 443 out there, the Nginx instance is configured to answer a certificate only\r\nif a valid domain name is provided to it, otherwise it will answer a\r\nSSL_ERROR_UNRECOGNIZED_NAME_ALERT and the connexion will be dropped. \r\nTo correlate the infrastructure, we can simply get all the IP addresses with the previously disclosed heuristic,\r\nlooking for VPS with two open ports or less. This will provide us a list of hundreds of IP addresses that we will\r\nthen be able to check against a passive DNS database in order to grab some domain names to test.\r\nOnly by looking at the domain names resolving this list, we can spot a few that ring a bell to us when hunting\r\nhistorically with Lycantrox infrastructures such as fake URL shorteners or typosquatting news websites such as\r\nbitshort[.]info or elwatnanews[.]com. Moreover, many of them are linked to name servers that are known to\r\naccept cryptocurrency payments and be associated with cyber criminal activities. However, we need to be sure of\r\ntheir use by Lycantrox.\r\nTo ensure that the mentioned domains are related to Lycantrox infrastructure, an active check can be done. The\r\naim of that is to discover if some of them present anomalies that a default Nginx installation doesn’t show, which\r\nwill be another discriminant thing to add to our final heuristic. During our investigation we found that the domains\r\nanswered to any tested URL with a 204 No Content status code even if they showed a 404 error page, allowing us\r\nto categorize each of them, Lycantrox related or non-Lycantrox related.\r\nAt the end, 121 unique active domain names were found being related with high confidence to an infrastructure\r\ncluster linked to the Lycantrox intrusion set. Some of the discovered domains typo squat or have few references to\r\nspecific geographical areas shown in the following map.\r\nWe are also providing under “medium confidence” suspected Lycantrox related domain names that we haven’t\r\nbeen able to check actively during the investigation. It is worth noting that, by poking around them it’s\r\npossible to see other domains that might be related to the same threat actors, possibly used in the past or as\r\nbackup infrastructure. \r\nContext analysis\r\nhttps://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nPage 2 of 8\n\nMadagascar\r\nThe only servers using subdomains pointing to the servers that answered to our heuristic are related to\r\nMadagascar. These websites (soutien-a-rajoelina[.]com, emergence-mada[.]com and sahia-mijoro[.]com) – which\r\nseem to have been created by the threat actor itself – are wordpress blogs containing real articles taken from\r\nthe Madagascan newspaper Midi Madagasikara, which is also typostatted as midi-madgasikara[.]co.\r\nEven if their sub domains are pointing to malicious servers, we haven’t been able to detect any malicious iframes,\r\nscript insertions or fingerprinting scripts leading to the malicious servers on the websites. While looking in open\r\nsources for references to these domains, we’ve seen only one occurrence of emergence-mada[.]com – a post of\r\nthis blog was linked in a Facebook group supporting the actual president, Andry Nirina Rajoelina. Sekoia.io\r\nwas not able to observe malicious content in the history of the linked webpage.\r\nMadagascar is currently campaigning for a presidential election on 9 November 2023, where Rajoelina, current\r\npresident elected in 2018 is seeking its reelection. Sekoia.io assess it is plausible Madagascar government\r\nservices – such as police or domestic intelligence – did purchase and leverage Cytrox’s Predator malware to\r\nconduct political domestic surveillance, months before the election. This hypothesis is politically coherent with\r\nRajoelina’s undemocratic approach – 2009 coup d’etat getting him in power, 2019 Senat major reform, intense\r\npropaganda on social media promoting its reforms. In addition, according to Intelligence Online, the company\r\nIntellexa, Cytrox’s parent company, brought from a french company a contract with the Madagascar\r\ngovernment for the collection and processing of interception data.\r\nIndonesia\r\nAmong the Lycantrox domains, suarajubi[.]net and suarajubi[.]com likely typosquat Jubi TV, a West Papua\r\nprovince opposition media funded by Victor Mambor, journalist and Papuan autonomy activist. Jubi TV often\r\nreports Jakarta operations towards Papuan activists. Sekoia.io assess it is possible Indonesian intelligence\r\nhttps://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nPage 3 of 8\n\nservices purchased and leverage Cytrox’s Predator malware to conduct political surveillance, at least on\r\nautonomist movements. \r\nKazakhstan\r\nIt is not surprising to see Kazakhstan on that list as this country has a troubled history with cyber surveillance\r\nvendors such as NSO, RCS Lab or FinFisher to compromise devices belonging to human right activists,\r\npoliticians, journalists and opponents. Based on the Lycantrox domains Sekoia.io investigated and on Astana\r\ndocumented use for cyber surveillance tools, it is likely Kazakhstan intelligence services purchased and use\r\nCytrox’s Predator malware.\r\nAngola\r\nSekoia.io analysts found several domains associated with Angola entities. At least six of them typosquat online\r\nmedias – folha-9[.]com, factosdiarios[.]co or lilpastanews[.]co– and several others seems related to national\r\nentities (the main telecom operator, the national company for oil production, ministry of finance, the national\r\npostal service). Sekoia.io found other typosquatted domains associated with Portugal – mult[.]icaixa[.]info, cnn-portugal[.]com – that we assess as possible part of the Predator campaign in Angola. Given the multiple Angola-related and Portuguese speaking domains, Sekoia.io assess it is plausible Angola government services were also\r\nCytrox clients.\r\nConclusion\r\nIt is worth mentioning that Lycantrox has hardened its reverse proxies since our previous investigations and after\r\nsome public disclosures in order to prevent such illumination. However, sometimes, too much hardening can be\r\ndiscriminatory from a defender point of view, as we can see with this correlation. \r\nSekoia.io will continue its efforts against known cyber mercenary threat actors by illuminating their infrastructure\r\nand providing for free associated indicators of compromise (IOCs) to the community. Therefore, if you are a\r\njournalist, politician or human rights activist we encourage you to check your device for the presence of the\r\nfollowing list of domain names, by using, for example MVT for analysis of your Android/iOS logs or\r\nSPYGUARD to check in real time your device’s network communications against a set of heuristics to detect\r\npossible implant beaconing. \r\nIndicators of compromise\r\nDomains mentioned in the CitizenLabs blogpost, also found during our investigation.\r\nbetly[.]me\r\nsec-flare[.]com\r\nverifyurl[.]me\r\nHigh confidence, active infrastructure during the time of the investigation\r\ncandidaturasminfin[.]info\r\ngrupohel[.]social\r\nnotify-kz[.]info\r\nhttps://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nPage 4 of 8\n\nintnews[.]world\r\ntaagangola[.]co\r\nafrinew[.]net\r\ntupuca[.]co\r\nnewsworldsports[.]co\r\nnewspool[.]net\r\ninformburo[.]info\r\ndealstransfer[.]net\r\ngorlovski[.]com\r\negypt-post[.]com\r\npodcastnow[.]club\r\nsuarajubi[.]net\r\nsuarajubi[.]com\r\npasteposta[.]com\r\npost-kz[.]info\r\nmada[.]sahia-mijoro[.]com\r\nbbitly[.]com\r\nculniks[.]info\r\nfolha-9[.]com\r\nshortly[.]work\r\nlttlnk[.]net\r\nmult[.]icaixa[.]info\r\nmujimbos[.]co\r\nleefco[.]net\r\nliveco[.]live\r\nshowsme[.]info\r\nbrkorage[.]live\r\nclckbck[.]com\r\nflowercafee[.]com\r\nsoq[.]one\r\njornaldeangola[.]info\r\ngeloraku[.]id\r\nsmallme[.]net\r\nquick-ads[.]com\r\njofki[.]com\r\nmidi-madgasikara[.]co\r\nflytaps[.]com\r\nfactosdiarios[.]co\r\nkz-news[.]cc\r\nlilpastanews[.]co\r\npopup-pw[.]info\r\neventes[.]org\r\nfdnews[.]info\r\nunitei[.]co\r\nbusinessafricaonline[.]org\r\nbreaknews[.]live\r\nactualite[.]emergence-mada[.]com\r\nhttps://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nPage 5 of 8\n\ncandidaturassonangol[.]info\r\ncorreiosdeangola[.]info\r\n9o[.]gg\r\nallafrika[.]live\r\nvisavfsglobal[.]co\r\nadenuncia[.]com\r\nportalxa[.]com\r\nsky-news[.]live\r\nvinhosadega[.]com\r\nshop-collect[.]com\r\nbestwesternt[.]com\r\ntraffic-moi-eg[.]org\r\nconodeti[.]com\r\ngulfsports[.]info\r\ndw-news[.]co\r\nlexpressmg[.]xyz\r\njakalas[.]online\r\nt-ready[.]me\r\ngrvnews[.]live\r\nair-shopping[.]net\r\ngostosadeluxo[.]com\r\naoatlasescort[.]com\r\nuniversedades[.]com\r\nbitshort[.]info\r\nintercontinentalhg[.]com\r\nclubs-k[.]com\r\nnm-weather[.]live\r\nimparcialpress[.]com\r\nblitzmedia[.]live\r\nshanam[.]org\r\nkz-shops[.]me\r\nyoutub-eg[.]com\r\nelwatnanews[.]com\r\ntengrinnews[.]live\r\njornalf8[.]com\r\ngrowebservice[.]com\r\nzoometting[.]com\r\nvaovao[.]soutien-a-rajoelina[.]com\r\nongs[.]life\r\ntruelocation[.]org\r\nordas-kz[.]com\r\nglbnews[.]live\r\nnewsreuter[.]com\r\nnovojornal[.]co\r\nalmasrylayoum[.]com\r\ndhll[.]live\r\nredirto[.]info\r\nhttps://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nPage 6 of 8\n\nmulherevips[.]com\r\nsicnoticia[.]com\r\nweather-live[.]com\r\nafrica-confidentiel[.]fr\r\nskranski[.]com\r\ncnn-portugal[.]com\r\nwesalcity[.]net\r\nplatinalines[.]com\r\nonlinewebinarmarketing[.]com\r\nbtlin[.]life\r\ntclnk[.]live\r\nkalwaski[.]xyz\r\nsysnet[.]life\r\nclcti[.]net\r\nqamqors[.]net\r\ngorows[.]live\r\nmoncn[.]co\r\nskollie[.]online\r\nsmcu[.]me\r\nsysly[.]sbs\r\nbulk-ads[.]com\r\ngulfweather[.]live\r\nshortly[.]work\r\ngulfsports[.]live\r\nModerate to high confidence, dormant or inactive infrastructure during the time of the investigation.\r\namritacity[.]com\r\nawlaqf[.]sbs\r\nbosmata[.]com\r\npoliti[.]live\r\ntoomec[.]net\r\ncrudco[.]info\r\ncorncog[.]com\r\ndbtest[.]online\r\nespn-sports[.]live\r\nftlink[.]info\r\ngsxr[.]me\r\ngulfnews[.]today\r\ngulfweather[.]co\r\nhelpemail[.]net\r\nisalways[.]net\r\nisconn[.]net\r\nislink[.]info\r\nletmelook[.]one\r\nlnkkdis[.]xyz\r\nhttps://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nPage 7 of 8\n\nlnklit[.]com\r\nmg-news[.]info\r\nmiceups[.]com\r\nmncnn[.]info\r\nmnmlink[.]co\r\npklnk[.]com\r\npost-info[.]kz\r\nprevieweb[.]xyz\r\nsexychats[.]nl\r\nsouthchinapost[.]net\r\nsupasports[.]xyz\r\nsyscncc[.]live\r\ntconn[.]net\r\nweatherforecast[.]services\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io\r\nFeel free to read other TDR analysis here :\r\nShare\r\nAPT CTI Cytrox Predator\r\nShare this post:\r\nSource: https://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nhttps://blog.sekoia.io/active-lycantrox-infrastructure-illumination/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.sekoia.io/active-lycantrox-infrastructure-illumination/"
	],
	"report_names": [
		"active-lycantrox-infrastructure-illumination"
	],
	"threat_actors": [
		{
			"id": "5e034014-1f6e-424d-adfa-49557e655e08",
			"created_at": "2024-02-06T02:00:04.118601Z",
			"updated_at": "2026-04-10T02:00:03.572699Z",
			"deleted_at": null,
			"main_name": "Karkadann",
			"aliases": [
				"Piwiks"
			],
			"source_name": "MISPGALAXY:Karkadann",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8f6bd9b8-e46e-4c3b-9a08-41fee319f273",
			"created_at": "2022-10-25T16:07:23.747959Z",
			"updated_at": "2026-04-10T02:00:04.735963Z",
			"deleted_at": null,
			"main_name": "Karkadann",
			"aliases": [],
			"source_name": "ETDA:Karkadann",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b",
			"created_at": "2024-02-02T02:00:04.032871Z",
			"updated_at": "2026-04-10T02:00:03.532955Z",
			"deleted_at": null,
			"main_name": "Caramel Tsunami",
			"aliases": [
				"SOURGUM",
				"Candiru"
			],
			"source_name": "MISPGALAXY:Caramel Tsunami",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434047,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb0d80de115a81e717825408c15f48c8c8ff7336.pdf",
		"text": "https://archive.orkl.eu/cb0d80de115a81e717825408c15f48c8c8ff7336.txt",
		"img": "https://archive.orkl.eu/cb0d80de115a81e717825408c15f48c8c8ff7336.jpg"
	}
}