A Multi-Actor Infrastructure Investigation

The report maps a large, likely shared criminal infrastructure supporting infostealers (LummaC2, Rhadamanthys) and AsyncRAT, centered on C2 154.216.20.204 and expanding via file-hash communications to numerous IPs across multiple ASNs. It notes Cloudflare reverse proxy usage to mask backends, unusual SSH configurations on Wowrack infrastructure, and further pivots (e.g., geolocation API HTML titles) revealing additional malicious servers. The document provides a consolidated list of IOCs (hashes and IPs), assessing moderate-to-high confidence that multiple threat actors are leveraging this ecosystem.