A novice cybercrime operator has been observed utilizing the services of a Russian bulletproof hosting provider, known as Proton66, to facilitate their malicious activities.

According to findings from DomainTools, this discovery was made after identifying a fake website, cybersecureprotect[.]com, hosted on Proton66, which masqueraded as a legitimate antivirus service.

DomainTools identified an operational security failure in the domain, which exposed the malicious infrastructure and revealed the malicious payloads staged on the server.

This led to the discovery of an emerging threat actor, known as Coquettte, an amateur cybercriminal leveraging Proton66’s bulletproof hosting to distribute malware and engage in other illicit activities, as stated in a report shared with The Hacker News.

Proton66 has been linked to several malware distribution campaigns, including GootLoader, Matanbuchus, SpyNote, Coper, and SocGholish, as well as phishing pages propagated via SMS messages to trick users into entering their banking credentials and credit card information.

Coquettte is utilizing the Proton66 ecosystem to distribute malware disguised as legitimate antivirus tools, specifically through a ZIP archive called “CyberSecure Pro.zip” that downloads a second-stage malware from a remote server.

The second-stage malware is a loader classified as Rugmi, which has been used to deploy information stealers like Lumma, Vidar, and Raccoon.

Further analysis of Coquettte’s digital footprints revealed a personal website claiming to be a “19-year-old software engineer, pursuing a degree in Software Development.”

The email address “root@coquettte[.]com” was used to register the cia[.]tf domain, confirming that Coquettte controlled the C2 server and operated the fake cybersecurity site as a malware distribution hub.

According to DomainTools, this suggests that Coquettte is a young individual, possibly a student, which aligns with the amateurish mistakes in their cybercrime endeavors.

Coquettte’s ventures extend beyond malware distribution, as they have also been running websites that sell guides for manufacturing illegal substances and weapons, and are believed to be loosely tied to a broader hacking group known as Horrid.

DomainTools notes that the pattern of overlapping infrastructure suggests that the individuals behind these sites may refer to themselves as ‘Horrid,’ with Coquettte being an alias of one of the members rather than a lone actor.

The group’s affiliation with multiple domains tied to cybercrime and illicit content suggests that it functions as an incubator for inspiring or amateur cybercriminals, providing resources and infrastructure to those looking to establish themselves in underground hacking circles.