A Multi-Actor Infrastructure Investigation (Mapping the Malware Maze)

This intelligence write-up details an infrastructure hunt that identifies a cluster of C2 servers and many associated malicious file hashes tied to infostealers and RATs. Key findings include C2 IP 154.216.20.204, numerous communicating IPs (including Cloudflare-backed and Wowrack hosts), evidence of AsyncRAT activity, SSH fingerprint pivots that link additional hosts, and a compiled IOC list of IPs and hashes; the author concludes the infrastructure is widely used by multiple actors to serve infostealers and RATs.