An emerging cybercriminal going by the alias Coquettte has been caught exploiting a Russian bulletproof hosting (BPH) provider, Proton66, to launch malware attacks — all due to a critical OPSEC failure that exposed their hidden infrastructure.
Malware Masquerading as Antivirus Software
According to a new report from DomainTools, the investigation began with the discovery of a fake antivirus website — cybersecureprotect[.]com — hosted on Proton66’s infrastructure. The site was found distributing malware under the guise of a security tool, a classic social engineering tactic aimed at tricking unsuspecting users.
However, a major operational security lapse by Coquettte left directories open on the server, exposing not just malware payloads but also digital fingerprints tying back to the actor.
“This OPSEC failure pulled back the curtain on Coquettte’s wider operation — a low-skilled yet determined cybercriminal utilizing Proton66’s services to push malware and conduct illicit online activities,” DomainTools shared in a statement to The easy4hub News.
Inside Proton66: A Haven for Malware Operators
Proton66, which is also linked to another shady hosting service called PROSPERO, is notorious in the cybersecurity world for facilitating malware distribution and phishing attacks. It has been connected to the spread of various Windows and Android malware families, including:
-
๐ GootLoader
-
๐ชค Matanbuchus
-
๐ต️ SpyNote
-
๐ฑ Coper (a.k.a. Octo)
-
๐ง SocGholish
Phishing campaigns hosted on Proton66 often spread through SMS messages, attempting to steal sensitive banking and credit card credentials.
Coquettte’s Malware Delivery Chain
Coquettte’s malware campaign involved a downloadable ZIP file named “CyberSecure Pro.zip”, containing a Windows installer. Once executed, the installer connected to a command-and-control (C2) server at cia[.]tf, fetching a second-stage payload.
This second-stage malware is a loader known as Rugmi (also referred to as Penguish), often used to deploy well-known information stealers like:
-
๐พ Lumma
-
๐งช Vidar
-
๐ฆ Raccoon
Tracing the Threat Actor: Who Is Coquettte?
Digital forensics revealed that the C2 domain cia[.]tf was registered with the email address root@coquettte[.]com. Investigators also discovered a personal website where the actor claims to be a 19-year-old software engineering student — adding a bizarre twist of personal ambition to their cybercriminal activity.
More Than Just Malware: Illicit Guides and Dangerous Affiliations
Coquettte’s criminal involvement extends beyond malware. DomainTools reports that the individual also runs websites selling illegal guides — including instructions for manufacturing controlled substances and weapons.
Moreover, the actor is believed to be affiliated with a broader hacking group named Horrid. Shared infrastructure and domain patterns suggest that Coquettte is likely one of many members — possibly using the alias as part of a cybercrime collective.
⚠️ Key Takeaways
-
Coquettte’s malware campaign was uncovered due to poor OPSEC practices.
-
The actor used Proton66, a bulletproof hosting provider linked to major malware families.
-
Malware was distributed through a fake antivirus site and used loaders like Rugmi.
-
Links to a young developer persona and underground group Horrid were found.
-
Activity spans malware deployment, illegal content distribution, and C2 operations.
๐ก️ Stay Informed, Stay Secure
This case highlights the importance of robust threat intelligence and awareness of malware-hosting infrastructure. To defend against such threats:
-
Always verify the authenticity of antivirus tools and security software.
-
Avoid downloading ZIP files from untrusted sources.
-
Use endpoint protection and regularly monitor for indicators of compromise (IoCs).
๐ Follow easy4hub for more updates on emerging cyber threats and underground actor profiles.