A brand new, comparatively low-skilled cyber menace actor has been uncovered leveraging the companies of a bulletproof hosting provider (BPH) to deploy malware below the guise of reputable software program.
The hacker, recognized by the moniker ‘Coquettte,’ was found by DomainTools researchers whereas investigating malicious domains hosted on Proton66.
Proton66 is a Russian bulletproof internet hosting supplier infamous for enabling cybercrime by ignoring abuse complaints.
DomainTools shared its findings on Coquettte’s exercise in a report printed on April 3, 2025.
The cybercriminal’s ventures embody malware distribution, in addition to the sale of guides for manufacturing unlawful substances and weapons.
Coquettte’s Malware Distribution Defined
DomainTools researchers first uncovered Coquettte’s actions by the area cybersecureprotect[.]com, a faux cybersecurity product website hosted on Proton66.
At first look, the web site appeared to supply ‘CyberSecure Professional’ antivirus software program. Nevertheless, the web site really distributes the Rugmi malware loader.
The researchers gained entry to the web site’s net listing following “an operation safety (OPSEC) failure” on Coquettte’s half.
The listing contained a compressed zip file of a Home windows Installer. As soon as decompressed, the file seems to be a malware dropper for Rugmi quite than safety software program.
When executed, the set up reaches out to 2 hard-coded URLs, cia[.]tf and quitarlosi[.], downloads a second-stage payload and drops extra executables from the menace actor-controlled servers.
Rugmi is a modular malware loader utilized by cybercriminals to deploy numerous secondary payloads together with infostealers, trojans and ransomware. It has been noticed distributing numerous infostealers together with Vidar, Raccoon Stealer V2, Lumma Stealer and Rescoms.
In response to DomainTools, Rugmi is often known as Penguish and is related to the Amadey loader.
Rugmi is distributed by Coquettte utilizing Proton66’s infrastructure, together with internet hosting the menace actor’s command and management (C2) server on the cia[.]tf area, with which Rugmi communicates.
Additional investigation revealed that this area was registered with the e-mail tackle root[@]coquettte[.]com.
“This direct hyperlink confirmed that Coquettte not solely operated cybersecureprotect[.]com as a malware distribution hub but in addition managed cia[.]tf, which facilitated the downloading and execution of malware payloads,” the researchers defined.
Unlawful Substance and Weapon Guides
The investigation additionally uncovered different initiatives operated by Coquettte, together with an internet site hosted at meth[.]to which comprises how-to guides for unlawful substances and weapons.
The positioning allegedly gives recipes and directions for manufacturing methamphetamine, making explosives like C4/Semtex, developing improvised gadgets (e.g. flashbangs, napalm), and even guides on catalytic converter theft. DomainTools has not verified that the guides can successfully assist make these medication and weapons.
Coquettte additionally maintains a private web site, coquettte[.]com, which gives extra insights into their on-line presence.
The positioning, hosted on AWS, as soon as displayed a message stating “18-year-old software program engineer, pursuing a level in Comp Sci.”
DomainTools researchers famous, “This means that Coquettte is a younger particular person, probably a scholar, which aligns with the amateurish errors (just like the open listing) of their cybercrime endeavors.”
Newbie Black Hat Hacker Collective
Coquettte is believed to be linked to a loosely structured hacking collective often called Horrid.
This connection is evidenced by the shared infrastructure throughout a number of domains – similar to horrid.xyz, terrorist.ovh, meth.to, and meth.su – which all make the most of the identical Google Analytics tracker and host content material associated to illicit actions.
The overlapping digital footprint signifies that Coquettte is probably going an alias of one of many group’s members quite than a solitary actor.
Moreover, Coquettte and their associates keep energetic on-line presences on a number of platforms, together with a private GitHub repository, a YouTube channel below the alias ‘chickenwing_11’ and a linked Final.fm profile.
Their infrastructure additionally extends to different cyber-related websites, similar to a Linux terminal emulation undertaking hosted on xn--xuu.ws, additional supporting the notion that this community features as an incubator for aspiring cybercriminals by offering malware assets, internet hosting options and a collaborative atmosphere for underground hacking actions.
