Hackers Use GHOSTYNETWORKS and OMEGATECH to Run JavaScript Malware Infrastructure
8 min. read 
Published on
Security researchers have linked a March 2026 malspam campaign to two bulletproof-hosting networks, GHOSTYNETWORKS and OMEGATECH. The campaign delivered a heavily obfuscated JavaScript backdoor through phishing emails aimed at organizations in energy, automotive, government finance, and other sectors.
The Intrinsec report says the campaign used ZIP and RAR attachments that contained malicious JavaScript files. Once executed, the backdoor contacted command-and-control infrastructure on non-standard ports and sent system information from the infected machine.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Intrinsec assessed the activity as financially motivated, with possible links to email account compromise and business email compromise operations. That matters because email-based fraud remains one of the most damaging cybercrime categories, with the FBI 2025 IC3 report placing business email compromise among the largest reported loss categories.
What the Campaign Targeted
The phishing activity started in March 2026 and reached several regions and industries. Intrinsec identified targets that included a large Ukrainian FMCG distribution holding, a Russian oil-refining company, automotive groups in Poland and Germany, and the Ministry of Finance of Transnistria.
The target list suggests the attackers were not focused on one country or one industry. Instead, they appeared to prioritize organizations where email compromise or payment redirection could create financial opportunities.
A second wave in April expanded the activity to more finance-related targets. The victim profile matches a common pattern in cybercrime, where attackers go after organizations that handle payments, vendor communication, and sensitive internal documents.
Campaign Overview
| Item | Details |
|---|---|
| Observed period | March and April 2026, with earlier infrastructure links dating back to 2025 |
| Main delivery method | Malspam with ZIP or RAR attachments |
| Payload type | Obfuscated JavaScript backdoor |
| Key networks | GHOSTYNETWORKS, AS205759, and OMEGATECH, AS202412 |
| Likely motive | Email account compromise or business email compromise |
| Notable ports | 2002, 2004, 7273, 3232, 6565, 34567, and 2244 |
How the JavaScript Backdoor Works
The malicious attachment carries a JavaScript file disguised as a business document. If the recipient opens it, the script starts the infection chain through Windows scripting components instead of dropping an obvious executable file.
The backdoor gathers system details, creates a unique identifier for the infected machine, and sends the data to its command-and-control server through POST requests. Intrinsec observed traffic using unusual ports, which can help the malware avoid basic filters that only watch common web ports.
The malware also used an old Internet Explorer-style user agent string. That choice may help the traffic blend into generic browser-like activity in environments with limited network inspection.
Why JavaScript Attachments Still Work
JavaScript payloads remain useful to attackers because they can run through trusted operating system components. This makes them harder to spot in environments where defenses focus mostly on executable files.
MITRE ATT&CK maps this behavior under Command and Scripting Interpreter: JavaScript, a technique where attackers abuse JavaScript or JScript for execution. In email attacks, those scripts often arrive inside archives or disguised as documents.
The same technique also supports lightweight loaders. A small script can perform checks, contact a server, and fetch follow-on malware while keeping the initial attachment small and text-based.
GHOSTYNETWORKS Hosted Spam Infrastructure
Intrinsec traced one spam-sending IP address, 83.142.209.64, to GHOSTYNETWORKS, also known as AS205759. The bgp.tools listing for AS205759 identifies the network as Ghosty Networks LLC and shows six originated IPv4 prefixes.
The report says four of those six announced prefixes were registered as abusive by Spamhaus at the time of analysis. Intrinsec also linked GHOSTYNETWORKS to OPTIBOUNCE and assessed it as likely connected to AnonRDP-related bulletproof-hosting activity.
GHOSTYNETWORKS was also noisy beyond the email campaign. Intrinsec’s honeypots recorded more than 30,000 hits from IPs announced by the network during March 2026, including brute-force and scanning activity across multiple ports.
OMEGATECH Hosted Command-and-Control Servers
OMEGATECH, also known as AS202412, hosted the JavaScript backdoor’s command-and-control domain scan.aryamint[.]com and another spam-sending domain, mpwirerope[.]com. The bgp.tools listing for AS202412 identifies the network as Omegatech LTD.
Intrinsec said OMEGATECH appeared to be another network tied to Virtualine, a Russia-linked bulletproof-hosting provider advertised on underground forums. The report also cited third-party intelligence that described the Seychelles-based network as hosting dozens of command-and-control servers on one subnet.
OMEGATECH produced far more honeypot noise than GHOSTYNETWORKS in March. Intrinsec recorded 642,001 network hits from IPs announced by OMEGATECH-AS during that month.
Infrastructure Comparison
| Network | ASN | Role in Campaign | Additional Context |
|---|---|---|---|
| GHOSTYNETWORKS | AS205759 | Spam-sending infrastructure | Linked by Intrinsec to OPTIBOUNCE and assessed as connected to AnonRDP-style bulletproof hosting |
| OMEGATECH | AS202412 | C2 hosting and spam-sending infrastructure | Assessed by Intrinsec as connected to Virtualine-style bulletproof hosting |
| TELCHACK-AS | AS207184 | Earlier infrastructure tied to the same threat actor pivots | Previously used for malware activity and later stopped announcing prefixes |
Why Bulletproof Hosting Matters
Bulletproof-hosting providers matter because they make abuse harder to disrupt. Attackers use these networks to host spam infrastructure, malware payloads, command-and-control servers, phishing pages, proxy systems, and scanners.
The GHOSTYNETWORKS route data shows a small network with several IPv4 prefixes, while the OMEGATECH route data shows a separate small hosting network. In abuse cases, even a small ASN can support a large amount of malicious traffic if upstream controls remain weak.
This is why defenders often block or monitor high-risk autonomous systems, not just individual domains. Domains can change quickly, but the network layer may reveal repeated use of the same hosting ecosystem.
Indicators Defenders Should Review
| Type | Indicator | Context |
|---|---|---|
| ASN | 205759 | GHOSTYNETWORKS |
| ASN | 202412 | OMEGATECH-AS |
| IPv4 | 83.142.209[.]64 | Spam-sending infrastructure |
| IPv4 | 91.92.243[.]79 | Spam and JavaScript backdoor C2 |
| IPv4 | 158.94.211[.]76 | JavaScript backdoor C2 |
| Domain | mail.talruit[.]com | Spam-sending domain |
| Domain | scan.aryamint[.]com | JavaScript backdoor C2 |
| Domain | mpwirerope[.]com | Spam-sending domain |
The Intrinsec analysis also lists file hashes tied to the JavaScript payloads and archives used in the campaign. Security teams should add those indicators to detection pipelines only after checking whether they fit their environment and telemetry sources.
Indicators can expire quickly in malspam operations. Defenders should combine them with behavior-based rules that detect suspicious script execution, outbound C2 attempts on uncommon ports, and archive-based phishing attachments.
Defensive Steps for Email and Endpoint Teams
- Block or quarantine .js, .jse, and .mjs attachments where business use does not require them.
- Inspect ZIP, RAR, and ISO attachments for embedded script files.
- Restrict wscript.exe and cscript.exe execution outside trusted paths.
- Watch for POST requests to unknown domains on ports such as 2002, 2004, 7273, 3232, 6565, 34567, and 2244.
- Block known malicious IP addresses, domains, and high-risk ASNs at firewalls and secure web gateways.
- Train employees to treat purchase orders, quotations, and payment requests inside archive files as suspicious.
The behavior aligns with MITRE ATT&CK’s JavaScript execution technique, but defenders should also track phishing attachments, user execution, and obfuscated files. A single detection rule for file hashes will not catch future waves if the attacker repacks the scripts.
The FBI’s latest Internet Crime Report reinforces why these campaigns deserve attention. Business email compromise continues to generate major losses, and malware-backed email access can give attackers a stronger starting point for invoice fraud, payment redirection, and account takeover.
Why This Campaign Matters
The campaign shows that basic-looking JavaScript malware can still create serious risk when attackers combine it with resilient hosting and finance-focused targeting. The payload itself may look simple compared with advanced implants, but the infrastructure behind it helps the operation survive longer.
For defenders, the clearest lesson is to treat script attachments, archive files, and suspicious autonomous systems as connected signals. Email security, endpoint control, and network blocking need to work together.
GHOSTYNETWORKS and OMEGATECH also show why threat intelligence should not stop at domains. Mapping spam senders, C2 servers, hosting providers, ASNs, and upstream relationships can reveal a larger abuse ecosystem behind a single phishing attachment.
FAQ
Intrinsec reported that March 2026 malspam campaigns used GHOSTYNETWORKS and OMEGATECH to support JavaScript backdoor delivery, spam sending, and command-and-control infrastructure.
The backdoor was delivered through phishing emails carrying ZIP or RAR archives. Those archives contained heavily obfuscated JavaScript files that victims had to execute.
The backdoor collected system information, created a unique identifier for the infected machine, and sent the data to command-and-control infrastructure using POST requests over non-standard ports.
The two networks provided infrastructure for spam delivery and command-and-control activity. Intrinsec assessed them as part of a broader bulletproof-hosting ecosystem that supports cybercrime operations.
Reported targets included organizations in energy, automotive, FMCG distribution, and government finance. Intrinsec identified victims across multiple regions, including CIS-related targets and European automotive organizations.
Organizations should block script attachments where possible, inspect compressed files for embedded JavaScript, restrict wscript and cscript execution, monitor uncommon outbound ports, block known malicious indicators, and train employees to recognize malicious business-document lures.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages