Keeping up with the Infostealers

Research maps active infostealer-related infrastructure starting from 185.215.113.16 (AS51381/1337team Limited) using Censys queries (ports 22 and 80) and pivots via SSH/certificate fingerprints and a related malicious file (“cajubae”), uncovering 20 hosts tied to Amadey/Smoke loaders and infostealers (Redline, Lumma, MarsStealer, Stealc), plus newly identified IP clusters in Korea (notably AS3786, AS4766) and Mexico; the domain niksplus.ru shows fast-flux behavior, and the post provides extensive IP-based IoCs indicating recently deployed malicious infrastructure likely supporting ongoing infostealer activity.