Amateur Hacker Leverages Russian Bulletproof Hosting Server to Spread Malware – Source: www.infosecurity-magazine.com

A new, relatively low-skilled cyber threat actor has been uncovered leveraging the services of a bulletproof hosting provider (BPH) to deploy malware under the guise of legitimate software.

The hacker, known by the moniker ‘Coquettte,’ was discovered by DomainTools researchers while investigating malicious domains hosted on Proton66.

Proton66 is a Russian bulletproof hosting provider notorious for enabling cybercrime by ignoring abuse complaints.

DomainTools shared its findings on Coquettte’s activity in a report published on April 3, 2025.

The cybercriminal’s ventures include malware distribution, as well as the sale of guides for manufacturing illegal substances and weapons. 

Coquettte’s Malware Distribution Explained

DomainTools researchers first uncovered Coquettte’s activities through the domain cybersecureprotect[.]com, a fake cybersecurity product site hosted on Proton66.

At first glance, the website appeared to offer ‘CyberSecure Pro’ antivirus software. However, the website actually distributes the Rugmi malware loader.

The researchers gained access to the website’s web directory following  “an operation security (OPSEC) failure” on Coquettte’s part.

The directory contained a compressed zip file of a Windows Installer. Once decompressed, the file appears to be a malware dropper for Rugmi rather than security software.

When executed, the install reaches out to two hard-coded URLs, cia[.]tf and quitarlosi[.], downloads a second-stage payload and drops additional executables from the threat actor-controlled servers.

Rugmi is a modular malware loader used by cybercriminals to deploy various secondary payloads including infostealers, trojans and ransomware. It has been observed distributing various infostealers including Vidar, Raccoon Stealer V2, Lumma Stealer and Rescoms.

According to DomainTools, Rugmi is also known as Penguish and is associated with the Amadey loader.

Rugmi is distributed by Coquettte using Proton66’s infrastructure, including hosting the threat actor’s command and control (C2) server on the cia[.]tf domain, with which Rugmi communicates.

Further investigation revealed that this domain was registered with the email address root[@]coquettte[.]com.

“This direct link confirmed that Coquettte not only operated cybersecureprotect[.]com as a malware distribution hub but also controlled cia[.]tf, which facilitated the downloading and execution of malware payloads,” the researchers explained.

Illegal Substance and Weapon Guides

The investigation also uncovered other projects operated by Coquettte, including a website hosted at meth[.]to which contains how-to guides for illegal substances and weapons.

The site allegedly provides recipes and instructions for manufacturing methamphetamine, making explosives like C4/Semtex, constructing improvised devices (e.g. flashbangs, napalm), and even guides on catalytic converter theft. DomainTools has not verified that the guides can effectively help make those drugs and weapons.

Coquettte also maintains a personal website, coquettte[.]com, which provides additional insights into their online presence.

The site, hosted on AWS, once displayed a message stating “18-year-old software engineer, pursuing a degree in Comp Sci.”

DomainTools researchers noted, “This suggests that Coquettte is a young individual, possibly a student, which aligns with the amateurish mistakes (like the open directory) in their cybercrime endeavors.”

Amateur Black Hat Hacker Collective

Coquettte is believed to be linked to a loosely structured hacking collective known as Horrid.

This connection is evidenced by the shared infrastructure across multiple domains – such as horrid.xyz, terrorist.ovh, meth.to, and meth.su – which all utilize the same Google Analytics tracker and host content related to illicit activities.

The overlapping digital footprint indicates that Coquettte is likely an alias of one of the group’s members rather than a solitary actor.

Additionally, Coquettte and their associates maintain active online presences on several platforms, including a personal GitHub repository, a YouTube channel under the alias ‘chickenwing_11’ and a linked Last.fm profile.

Their infrastructure also extends to other cyber-related sites, such as a Linux terminal emulation project hosted on xn--xuu.ws, further supporting the notion that this network functions as an incubator for aspiring cybercriminals by providing malware resources, hosting solutions and a collaborative environment for underground hacking activities.