NEWS

JS Malware Hosting Shows the BEC Value of Bulletproof Hosts

Published

3 weeks ago

June 1, 2026

JS malware hosting has become the weak hinge in a March 2026 malspam campaign: Intrinsec’s full malspam infrastructure report says attackers sent spearphishing email to organizations across regions, including energy and finance ministries, then ran a JavaScript backdoor through GHOSTYNETWORKS in the United States and OMEGATECH in Seychelles. The likely goal was email account compromise and business email compromise.

Security teams could dismiss the campaign as routine spam because the lure and script were not technically exotic. That would miss the part worth building defenses around: abuse-tolerant routing networks kept both the mail flow and the command channel close enough to survive quick domain takedowns.

The Spam Was Simple, the Hosting Was the Product

Intrinsec, a French cyber threat intelligence company, described emails sent with ZIP or RAR archives that carried heavily obfuscated JavaScript (JS, a scripting language that can run through trusted system tools as well as browsers). Once executed, the script sent a POST request with system data to a command and control server (C2, the remote channel an infected machine uses to receive instructions or report back).

The target list was wide, but it had a telling center. Intrinsec said victims came from multiple regions and sectors, with energy and finance ministries among the notable targets, including in the Commonwealth of Independent States (CIS, a regional grouping of former Soviet republics). The firm assessed with high confidence that the activity was financially motivated and with medium confidence that it fed Email Account Compromise (EAC, real mailbox takeover) or Business Email Compromise (BEC, payment fraud built around trusted email identity).

For defenders, the useful clue sits below the attachment. The Australian Signals Directorate, Australia’s signals intelligence agency, says in the Australian government’s bulletproof hosting guide that one bulletproof hosting provider can enable hundreds of criminals worldwide. This campaign shows that pattern in small form: rent the right network, send the mail, keep the C2 alive, then monetize whatever access survives.

JS malware hosting campaign exposes bulletproof infrastructure risk.

Two Networks Carried the Campaign

The two named providers matter because they were not just passive waypoints. Intrinsec tied sender IPs and backdoor C2 addresses to autonomous systems (AS, numbered routing networks on the public internet), which gives defenders a higher-level blocking surface than a single domain or file hash.

Network	Autonomous System	Campaign Role	Why It Raises Risk
GHOSTYNETWORKS	AS205759	Hosted sender infrastructure and related malicious traffic	Intrinsec says four of six announced prefixes were listed as abusive by Spamhaus, and links the network with medium confidence to AnonRDP through OPTIBOUNCE.
OMEGATECH	AS202412	Hosted a backdoor C2 domain and another sender domain	The Seychelles-based network was associated by Intrinsec with Virtualine and produced far heavier honeypot noise in the firm’s telemetry.
TELCHACK	AS207184	Hosted earlier infrastructure tied to the same C2 domain	The earlier use points to an operator that changes suppliers while keeping parts of its workflow intact.

The routing layer is where the campaign becomes more durable. Recorded Future’s Insikt Group, the threat research arm of Recorded Future, has separately described aurologic GmbH as upstream connectivity used by several high-risk networks and noted Virtualine Technologies among providers tied to that cluster in Recorded Future’s aurologic infrastructure analysis. That does not make every downstream packet malicious, but it does explain why defenders increasingly look at AS-level reputation when the same names keep appearing near malware traffic.

The Old C2 Trail Matters

Intrinsec’s most useful finding may be the older infrastructure behind the new spam. The aryamint domain, used in the JS backdoor’s C2 path, had already been active in June 2025 on TELCHACK, where the same broad pattern appeared: spam delivery and remote control traffic sitting on a bulletproof network.

That history changes the incident response question. A team that treats the campaign as a one-time domain problem will remove a few indicators of compromise (IOCs, technical markers such as domains, IPs or hashes) and call the job done. A team that sees the supplier trail will ask which routing networks are recurring, which mail paths reach users, and which script interpreters can launch from archive attachments.

The same logic applies to the attacker’s economics. Reusing a C2 naming pattern saves time. Moving to a new host preserves operations after a blocklist hit. Mixing low-grade spam with resilient infrastructure lets a financially motivated actor spend less on custom malware and more on keeping the fraud funnel alive.

That is why the old trail deserves attention even if no single payload looks advanced. In BEC and EAC cases, the expensive part for victims usually comes after the first click, when mailbox access, supplier invoices and payment timing are abused.

Why JavaScript Still Buys Time

MITRE ATT&CK, the threat behavior knowledge base maintained by MITRE, classifies JavaScript abuse as the T1059.007 JavaScript execution technique. The reason is practical: scripts are text, easy to obfuscate, easy to pack into archives and familiar enough that users may not see them as executables.

Microsoft Defender Security Research Team, Microsoft’s threat research group, saw the same broader problem in a separate developer-targeting campaign: malicious repositories retrieved and executed attacker-controlled JavaScript at runtime, then moved into staged C2 behavior, according to Microsoft’s malicious Next.js repository research. Different lure, same advantage for the attacker: code that can run inside normal workflows before a full binary ever appears.

Built-in execution: Windows Script Host, Node.js and browser-adjacent tooling give attackers familiar launch paths.
Text payloads: Obfuscation can hide intent until the script runs or contacts its server.
User-driven launch: Archives and fake business documents push the victim into doing the execution step.
Small C2 handshake: Early beacons can profile a host before the operator decides whether to spend a second-stage payload.

This is why blocking only known malware names is thin protection. The dangerous behavior is often the parent process, the script path, the unusual port, and the outbound connection to a network that already has a bad history.

The Fraud Case Behind the Malware

BEC is still one of the cleanest ways to turn mailbox access into cash. The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3, the bureau’s public reporting hub for cybercrime) recorded 24,768 BEC complaints and $3,046,598,558 in losses in the FBI’s 2025 IC3 annual report. That puts business email fraud below investment scams by loss, but above tech support, personal data breach and ransomware complaints in the same table.

24,768 BEC complaints reached IC3 in 2025.
$3.05 billion in BEC losses were reported to IC3 that year.
642,001 honeypot hits came from the Seychelles network in Intrinsec’s telemetry, compared with 30,244 from the U.S.-based network.

Intrinsec did not claim that this specific campaign caused those FBI-reported losses. The point is narrower and more useful: the victimology and infrastructure match a fraud model where access is the opening move, not the payout. Energy companies, finance ministries, automotive groups and distributors all have payment flows worth studying after a mailbox is compromised.

That should shape the response. A user who opens a malicious archive may not see ransomware, a fake login page or an immediate bank request. The first visible sign may be a weird process tree or an outbound connection. The financial event can arrive days later, after the attacker has read enough mail to know who approves invoices and who is traveling.

Network Blocking Beats File Cleanup

Blocking prefixes announced by BPH autonomous systems at network borders continues to be the most efficient way to counter this threat.

That line appears in Intrinsec’s conclusion. It should be read as a priority, not a magic fix. Prefix blocks can cut off known bad neighborhoods, but they still need exceptions, monitoring and a process for false positives when legitimate traffic crosses a risky upstream path.

File cleanup alone leaves too much room for the operator. Domains rotate, archives get renamed and JavaScript changes shape quickly. Routing history moves more slowly, and repeated use of the same suppliers gives defenders a way to act before every new hash lands in a feed.

Block or alert on the ASNs, IPs and defanged domains listed in the report, with business exceptions reviewed by security staff.
Reject or quarantine .js, .jse and .mjs attachments, plus ZIP, RAR and ISO files that contain script payloads.
Watch for wscript.exe, cscript.exe or node.exe launching from mail client temp paths, download folders or archive extraction locations.
Move DMARC policy from monitor mode to enforcement where possible, with SPF and DKIM aligned for high-value domains.
Treat suspected mailbox access as a fraud incident too, with payment holds, supplier callback checks and rapid credential rotation.

If the operators keep moving only domains, IOC cleanup will age out fast. If defenders block the routing suppliers and watch script execution from mail paths, this old-looking spam campaign becomes far harder to monetize.