{
  "name": "Where to Find Aspiring Hackers",
  "slug": "where-to-find-aspiring-hackers",
  "description": "This analysis focuses on Proton66, a bulletproof hosting network enabling cybercrime operations and serving as a hub for aspiring cybercriminals. It examines the activities of a threat actor known as 'Coquettte,' who is linked to the Horrid hacking group. The investigation reveals a fake cybersecurity website used for malware distribution, and explores Coquettte's broader criminal ventures, including a website allegedly providing guides for illegal activities. The research highlights Proton66's role as a breeding ground for amateur threat actors and provides insights into the malware infrastructure used by Coquettte, including the Rugmi/Penguish loader trojan. The analysis also uncovers connections to other domains and potential affiliations with a larger hacking collective.",
  "published": "2025-04-04T17:54:29+00:00",
  "created_at": "2025-04-04T17:54:29+00:00",
  "modified_at": "2025-04-07T06:04:57+00:00",
  "created_at_opencti": "2025-04-04T17:54:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-04",
    "amadey",
    "amateur hackers",
    "bulletproof hosting",
    "cybercrime",
    "fake cybersecurity",
    "horrid hacking group",
    "infostealers",
    "lumma stealer",
    "penguish",
    "proton66",
    "recordbreaker",
    "rescoms",
    "rugmi",
    "rugmi malware",
    "vidar"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:b4175f4afe1858a7",
        "name": "Rugmi",
        "slug": "rugmi"
      },
      {
        "id": "0100163d-057d-4bd9-9194-f30e39c9fc53",
        "name": "Penguish",
        "slug": "penguish"
      },
      {
        "id": "legacy:malware:760697ec60a50988",
        "name": "Amadey - S1025",
        "slug": "amadey-s1025"
      },
      {
        "id": "legacy:malware:31827995e2ef708e",
        "name": "Rescoms",
        "slug": "rescoms"
      },
      {
        "id": "0051da15-675b-4665-a6d1-872f64cf47ea",
        "name": "Lumma stealer",
        "slug": "lumma-stealer"
      },
      {
        "id": "legacy:malware:4c158bd3d2e6b80b",
        "name": "RecordBreaker",
        "slug": "recordbreaker"
      },
      {
        "id": "2c582ed8-35df-4ef9-917d-994e214aa5f9",
        "name": "Vidar",
        "slug": "vidar"
      }
    ],
    "intrusion_sets": [
      {
        "id": "57dad65e-1e93-47ca-b91c-14e27f8a02f9",
        "name": "Coquettte",
        "slug": "coquettte"
      }
    ],
    "attack_patterns": [
      {
        "id": "28548897-8b18-4095-97e8-1732f52e9316",
        "name": "T1102.003"
      },
      {
        "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd",
        "name": "T1588.001"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      },
      {
        "id": "6a146066-5a78-493c-a26a-133b62c1149e",
        "name": "T1588.002"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Russian Federation"
      }
    ]
  },
  "external_refs": [
    "https://dti.domaintools.com/proton66-where-to-find-aspiring-hackers",
    "https://otx.alienvault.com/pulse/67f038f5181e071891d8e3bf"
  ]
}