Trusted Design

Ransomware(Locky?) Spam campagin

概要

We have received a pile of spam lately that has the following links in it, and they all redirect to https://n3plcpnl0058.prod.ams3.secureserver.net:2083. I believe it to be a Locky variant, our firewall initially caught it as JS/Ransom.AP. I have reported the sites to godaddy as they seem to host them all. The 404testpage and 404javascript seem like old wordpress/joomla redirectors. I did some more research in it today after a week off we had another today with a new final redirect server, 0053 at secureserver.net instead of 0056. The address 160.153.129.36 shows up at scumware.org with 91 hits, mostly of the same design, random url, First_Last of "From" on email, and all redirected via the 404 redirect to the malware. Previously they were using the 160.153.129.34 address, and it has another 81 hits. 160.153.129.35 has 58. I continued getting hits from 160.153.129.33 up to 160.153.129.40 that all look this same way.

Created: 2026-02-23

Indicators

Indicatorsは見つかっていない。

類似Pulses

• Ransomware - Redirects and File (score: 0.66)
• WordPress Compromise Campaign (score: 0.62)
• Thousands of compromised WordPress websites redirect to exploit kits (score: 0.62)
• Locky Ransomware Download URL (score: 0.61)
• Compromised Wordpress sites serving multiple malware payloads (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る