Researchers at BlackFog have detailed OnyxC2, a new malware-as-a-service sold on cybercrime forums that packages professional-grade data theft for as little as $250 a month, with a $500 premium tier adding hidden-desktop control and a $6,000 buyout option. It ships with a polished control panel and ready-made lures disguised as FinePrint, Windows Settings, a fake Windows update, and a game installer. Its payloads slipped past VirusTotal scanning when first uploaded and were still undetected weeks later, and builds use AES-256 encryption. The low price and turnkey design lower the barrier for less-skilled criminals to run capable infostealing campaigns.
Hunt.io has mapped 1,350+ command-and-control servers spread across 98 providers in 14 Middle Eastern countries over three months. Saudi Telecom Company (STC) hosts 981 of them - 72.4% of all observed regional C2 - the largest single-provider concentration the researchers have seen globally. Most of STC's hosting appears to be compromised customer systems rather than deliberate bulletproof hosting, but the effect is the same. Other heavy hosts include SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Iraqi provider Regxa, which Hunt.io flags as the highest bulletproof-hosting profile observed. Named campaigns hosted on this infrastructure include Eagle Werewolf espionage, DYNOWIPER attacks on Poland's energy sector, and RondoDox.
Security Affairs covered new research on April 23 documenting a Linux port of the GoGra backdoor, originally seen as Windows-only. The Linux variant retains GoGra's defining feature: it uses Microsoft Graph API as its command-and-control channel, fetching commands from Outlook drafts in an attacker-controlled Microsoft 365 tenant and writing results back to the same drafts. Because the C2 traffic is HTTPS to graph.microsoft.com - the same endpoint legitimate clients hit constantly - it is invisible to most network-layer detections. The Linux port targets enterprise Linux servers with Outbound 443 access to Microsoft cloud services, broadening reach onto build servers and jump hosts.