Play it!

This report analyzes a C2 URL that pivots to infrastructure abusing the legitimate playit.gg tunneling service (AS40519), identifying numerous domains and IPs that redirect to playit.gg and are associated with malware activity (e.g., njRAT, XWorm). Using passive DNS, Censys, and Shodan pivots, it enumerates IOCs and shows how threat actors exploit playit.gg’s CDN/reputation to host malicious and phishing domains and conceal C2 traffic, indicating ongoing multi-actor cybercrime operations leveraging this platform.