Following the Trail - Meduza Stealer

The report documents an investigation into Meduza stealer infrastructure starting from an open-directory distribution server (89.23.100.74) and pivots using service/HTTP fingerprints to identify additional potential distribution hosts and 11 C2 servers via a shared HTTP body hash. It highlights hosting concentrations in AS56694 (Smart Ape LLC) and AS210644 (Aeza International Ltd), shares search queries used for discovery, and provides explicit IOCs (IP addresses and a response body hash) to aid defenders in hunting and blocking related infrastructure.