A recent investigation by DomainTools has uncovered the activities of a novice cybercriminal known as Coquettte, who appears to be using the services of a Russian bulletproof hosting (BPH) provider, Proton66. The discovery was sparked by a fraudulent website, cybersecureprotect.com, that masqueraded as an antivirus service, leading to a significant operational security (OPSEC) failure that exposed the actor’s malicious infrastructure.
According to the report, Coquettte took advantage of Proton66’s platform to distribute malware while engaging in other illegal activities. The threat intelligence firm noted that this amateur cybercriminal’s activities raised concerns given the unprofessional handling of OPSEC, which resulted in the exposure of potentially dangerous payloads hosted on the server. The malware distribution was orchestrated under the guise of legitimate antivirus tools, specifically a ZIP archive named “CyberSecure Pro.zip,” that installed a secondary malware loader termed Rugmi.
Proton66, which has been linked to numerous phishing campaigns and malware distribution, also stands associated with a previous BPH service called PROSPERO. The infrastructure has seen various campaigns utilizing malware types such as GootLoader, SpyNote, and Raccoon, along with phishing operations aimed at stealing sensitive banking information from users.
Coquettte has publicly presented themselves as a young individual pursuing a software development degree, further supporting the theory that they are inexperienced. The email address linked to the command-and-control server, registered as [email protected], confirms the direct control over the malicious operations. Notably, Coquettte is suspected of being involved with a larger hacking collective known as Horrid, indicating a possible mentorship within a network fostering amateur cybercriminals.
The implications of this exposure underscore the need for heightened vigilance against such emerging threats, highlighting the potential for young cybercriminals to leverage sophisticated infrastructures for illicit activities.