{ "id": "e6efccaa-6883-478a-8e60-4ea74e4537b9", "created_at": "2026-04-06T00:10:34.899848Z", "updated_at": "2026-04-10T03:30:57.712161Z", "deleted_at": null, "sha1_hash": "dcfff04747a2efe5558855939b8a29377faa05c2", "title": "OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 431568, "plain_text": "OPSEC Failure Exposes Coquettte’s Malware Campaigns on\r\nBulletproof Hosting Servers\r\nBy The Hacker News\r\nPublished: 2025-04-04 · Archived: 2026-04-05 17:51:06 UTC\r\nA novice cybercrime actor has been observed leveraging the services of a Russian bulletproof hosting (BPH)\r\nprovider called Proton66 to facilitate their operations.\r\nThe findings come from DomainTools, which detected the activity after it discovered a phony website named\r\ncybersecureprotect[.]com hosted on Proton66 that masqueraded as an antivirus service.\r\nThe threat intelligence firm said it identified an operational security (OPSEC) failure in the domain that left its\r\nmalicious infrastructure exposed, thereby revealing the malicious payloads staged on the server. \r\n\"This revelation led us down a rabbit hole into the operations of an emerging threat actor known as Coquettte – an\r\namateur cybercriminal leveraging Proton66's bulletproof hosting to distribute malware and engage in other illicit\r\nactivities,\" it said in a report shared with The Hacker News.\r\nProton66, also linked to another BPH service known as PROSPERO, has been attributed to several campaigns\r\ndistributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and\r\nhttps://thehackernews.com/2025/04/opsec-failure-exposes-coquetttes.html\r\nPage 1 of 2\n\nSocGholish. Phishing pages hosted on the service have been propagated via SMS messages to trick users into\r\nentering their banking credentials and credit card information.\r\nCoquettte is one such threat actor leveraging the benefits offered by the Proton66 ecosystem to distribute malware\r\nunder the guise of legitimate antivirus tools.\r\nThis takes the form of a ZIP archive (\"CyberSecure Pro.zip\") that contains a Windows installer that then\r\ndownloads a second-stage malware from a remote server responsible for delivering secondary payloads from a\r\ncommand-and-control (C2) server (\"cia[.]tf\").\r\nThe second-stage is a loader classified as Rugmi (aka Penguish), which has been used in the past to deploy\r\ninformation stealers like Lumma, Vidar, and Raccoon.\r\nFurther analysis of Coquettte's digital footprints uncovered a personal website on which they claim to be a \"19\r\nyear old software engineer, pursuing a degree in Software Development.\"\r\nWhat's more, the cia[.]tf domain has been registered with the email address \"root@coquettte[.]com,\" confirming\r\nthat the threat actor controlled the C2 server and operated the fake cybersecurity site as a malware distribution\r\nhub.\r\n\"This suggests that Coquettte is a young individual, possibly a student, which aligns with the amateurish mistakes\r\n(like the open directory) in their cybercrime endeavors,\" DomainTools said.\r\nThe threat actor's ventures are not limited to malware, for they have also been running other websites that sell\r\nguides for manufacturing illegal substances and weapons. Coquettte is believed to be loosely tied to a broader\r\nhacking group that goes by the name Horrid.\r\n\"The pattern of overlapping infrastructure suggests that the individuals behind these sites may refer to themselves\r\nas 'Horrid,' with Coquettte being an alias of one of the members rather than a lone actor,\" the company said.\r\n\"The group's affiliation with multiple domains tied to cybercrime and illicit content suggests that it functions as an\r\nincubator for inspiring or amateur cybercriminals, providing resources and infrastructure to those looking to\r\nestablish themselves in underground hacking circles.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2025/04/opsec-failure-exposes-coquetttes.html\r\nhttps://thehackernews.com/2025/04/opsec-failure-exposes-coquetttes.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2025/04/opsec-failure-exposes-coquetttes.html" ], "report_names": [ "opsec-failure-exposes-coquetttes.html" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dcfff04747a2efe5558855939b8a29377faa05c2.pdf", "text": "https://archive.orkl.eu/dcfff04747a2efe5558855939b8a29377faa05c2.txt", "img": "https://archive.orkl.eu/dcfff04747a2efe5558855939b8a29377faa05c2.jpg" } }