Hackers Use GHOSTYNETWORKS & OMEGATE OMEGATECH Malware

In March 2026, a significant wave of malicious spam emails began targeting inboxes across multiple countries and industries. These campaigns are reportedly leveraging infrastructure hosted on Threat actors were quietly distributing a JavaScript-coded backdoor, targeting organizations in sectors as critical as energy, automotive, and government finance.

The scale of the operation was wide, and the infrastructure behind it was carefully selected to stay under the radar.

The campaign was not a random scatter-shot attack. Targets included a major Ukrainian FMCG holding, a Russian oil-refining enterprise, automotive groups in Poland and Germany, and the Ministry of Finance of Transnistria.

A second wave in April 2026 extended the reach further, hitting more financially sensitive institutions. The consistent targeting of finance-related organizations strongly points to one goal: money.

Researchers at Intrinsec said in a report shared with Cyber Security News (CSN) that their CTI team tracked these campaigns closely and uncovered the bulletproof hosting infrastructure powering them.

Their investigation revealed two key autonomous systems, GHOSTYNETWORKS and OMEGATECH, being used to route both the spam-sending IPs and the command-and-control servers for the malware. The operation had been running in some form since at least mid-2025.

The JavaScript backdoor was heavily obfuscated and delivered as a file hidden inside ZIP or RAR archives attached to phishing emails.

Once a victim executed the file, the malware sent system information back to its command-and-control server using non-standard ports, making detection much harder.

The backdoor assigned a unique identifier to every infected machine and maintained persistent communication with its handlers.

The financial motive behind these campaigns aligns with a well-established and growing threat pattern. The FBI reported over $3 billion in business email compromise losses in 2025 alone.

Attackers are increasingly targeting organizations with weaker defenses, such as finance ministries of smaller nations, where limited budgets and less mature email controls make them far easier to compromise.

Hackers Use GHOSTYNETWORKS and OMEGATECH

The infrastructure behind these campaigns is what makes this case especially notable. GHOSTYNETWORKS, operating as AS205759 and registered in Kentucky in January 2026, hosted one of the spam-sending IP addresses.

Four of its six announced network prefixes are currently flagged as abusive by Spamhaus, which describes it as a network enabling cybercrime operations across the globe.

Intrinsec linked GHOSTYNETWORKS with high confidence to a now-defunct network called OPTIBOUNCE, also registered in Kentucky and previously tied to AnonRDP, a well-documented bulletproof hosting provider.

The same organizing name, Daniel Mishayev, appears across multiple Kentucky-registered companies, each associated with a network consistently flagged for abusive content.

Throughout March 2026, honeypots recorded over 30,000 network hits from IPs announced by GHOSTYNETWORKS.

OMEGATECH (AS202412), based in the Seychelles, hosted the JavaScript backdoor’s command-and-control domain along with a second spam-sending domain.

Spamhaus identifies it as yet another front for Virtualine, a Russia-based bulletproof provider advertised on underground criminal forums.

Honeypots logged more than 642,000 network hits from OMEGATECH IPs during March 2026, showing just how heavily this network is exploited for malicious purposes.

JS Backdoor Delivery and Defensive Recommendations

The JavaScript backdoor was built for stealth. It communicated with its C2 server on unusual ports like 2002, 2004, and 7273, using an outdated Internet Explorer user-agent string to disguise its traffic as ordinary browser activity.

This design helps the malware blend in and avoid triggering basic security filters that focus on more obvious binary threats.

Intrinsec recommends that organizations block JavaScript-related file types such as .js, .jse, and .mjs attachments, along with ZIP, ISO, and RAR containers that may carry embedded scripts.

Enforcing application controls to prevent wscript and cscript execution outside trusted paths adds another important layer. Deploying advanced email security gateways to detect and filter phishing emails containing malicious attachments is also strongly advised.

Beyond technical controls, employee awareness remains a critical line of defense. Regular phishing training and simulated internal tests help staff recognize suspicious content before it causes real damage.

Blocking network prefixes tied to known bulletproof hosting autonomous systems at the firewall level remains one of the most efficient ways to stop malicious traffic from reaching internal systems.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.