Maltrail IOCs for ImminentRAT and EK_ClearFake Campaigns
This brief covers newly published Maltrail IOCs, including domains associated with EK_ClearFake and an IP address and domains associated with ImminentRAT, potentially indicating ongoing malicious activity.
This threat brief is based on Maltrail IOCs published on 2026-05-06, highlighting potential malicious activity related to two distinct campaigns: EK_ClearFake and ImminentRAT. The EK_ClearFake campaign involves a large number of newly registered domains, often using similar naming patterns and hosting various fake services. ImminentRAT indicators include a specific IP address and a few domains resolving to it. These indicators may represent command-and-control infrastructure, malware distribution points, or phishing sites. Defenders should investigate network traffic and DNS queries for these IOCs to identify potentially compromised systems or ongoing attacks.
Attack Chain
This attack chain is inferred based on the nature of the identified IOCs and common attack patterns associated with RATs and fake services.
- Initial Access: User visits a compromised website or falls victim to a social engineering attack (e.g., phishing email).
- Delivery: Malicious payload (e.g., ImminentRAT installer) is delivered to the victim’s machine via drive-by download or as an attachment.
- Installation: The ImminentRAT malware is installed on the victim’s system, establishing persistence.
- Command and Control: The ImminentRAT malware connects to the C2 server (79.130.189.207 or trojandev.ddns.net) to receive instructions.
- Privilege Escalation: The malware attempts to escalate privileges on the compromised system to gain higher-level access.
- Data Exfiltration: Sensitive data is stolen from the victim’s system and transmitted to the attacker’s infrastructure.
- Lateral Movement: Attackers use the compromised system as a launchpad to move laterally within the network, compromising additional systems.
- Final Objective: The ultimate goal could include data theft, financial fraud, espionage, or disruption of services.
For EK_ClearFake, the domains are likely used in phishing or scams, attempting to steal credentials or lure victims into fraudulent transactions.
Impact
Successful exploitation can lead to data breaches, financial loss, reputational damage, and system compromise. If ImminentRAT is successfully deployed, attackers could gain complete control over the infected system, enabling them to steal sensitive information, install additional malware, or use the system as a bot in a larger attack. The EK_ClearFake domains may be used in phishing campaigns, leading to credential theft and account compromise.
Recommendation
- Monitor network traffic and DNS queries for connections to the IOCs listed in this brief, including the ImminentRAT IP address
79.130.189.207and domains such astrojandev.ddns.net. - Block the C2 domains associated with ImminentRAT (
trojandev.ddns.net,trojandev.servehttp.com,trojandev2.servehttp.com,trojandev20.servehttp.com) at the DNS resolver. - Implement web filtering to block access to the domains associated with EK_ClearFake (e.g.,
nanobanano.baby,1dorelax.surf, etc.) - Deploy the Sigma rule
Detect ImminentRAT C2 Beaconto your SIEM to identify potential ImminentRAT infections. - Deploy the Sigma rule
Detect EK_ClearFake Domain Accessto your SIEM to identify potential phishing attempts.
Detection coverage 2
Detect ImminentRAT C2 Beacon
highDetects network connections to known ImminentRAT command and control servers.
Detect EK_ClearFake Domain Access
mediumDetects DNS queries to domains associated with the EK_ClearFake campaign.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
42
domain
1
ip
7
url
| Type | Value |
|---|---|
| url | https://api.github.com/repos/stamparm/maltrail/commits/6668708e0fd58004129536b2f421c2eaaa37f10e |
| url | https://x.com/Fact_Finder03/status/2051952424609628206 |
| url | https://www.virustotal.com/gui/file/9f93e3fde12dfd6ec269e082e4429b562698aca4122c05111168bd7345b49f94/detection |
| url | https://www.virustotal.com/gui/file/ba057c29b899fff8770dbccc39c533d2de294acc5f0ddeb2fc4f7aea2057e92b/detection |
| url | https://www.virustotal.com/gui/file/d6baf65de9bf177fae9cc926267295c6efda60979ca1d3261dcbeeead0f714b8/detection |
| ip | 79.130.189.207 |
| domain | trojandev.ddns.net |
| domain | trojandev.servehttp.com |
| domain | trojandev2.servehttp.com |
| domain | trojandev20.servehttp.com |
| url | https://api.github.com/repos/stamparm/maltrail/commits/d10e877cc29d6f2fbd59fc1da20480e2246014f0 |
| domain | nanobanano.baby |
| url | https://api.github.com/repos/stamparm/maltrail/commits/b9e9f30f096b6bea936ead2a71b43ace1827772c |
| domain | 1dorelax.surf |
| domain | 1zorelix.surf |
| domain | 2zorelin.surf |
| domain | 3zavlore.surf |
| domain | 4dapt3-node.pavlore9.surf |
| domain | 4dorexal.surf |
| domain | 5bb2q4fr.izyob7rickets.digital |
| domain | 5parr-forge.torex5lin.surf |
| domain | 6toralex.surf |
| domain | 7toralex.lat |
| domain | 8dorexin.surf |
| domain | 9sgsurs.vexon3ar.surf |
| domain | 9toravex.surf |
| domain | a1ig-vector.vexon3ar.surf |
| domain | actsdks.surf |
| domain | alig9-trail.1dorelax.surf |
| domain | alt-b1oo.xamir2el.surf |
| domain | apidoc.1zorelix.surf |
| domain | apidoc.3zavlore.surf |
| domain | apidocs.2zorelin.surf |
| domain | apidocs.fewhtml.surf |
| domain | apidocs.nodespit.surf |
| domain | apidocs.technovortexhub.surf |
| domain | apiops.sori7xen.surf |
| domain | apiops.sorix2el.surf |
| domain | apiopss.lorex7in.surf |
| domain | apiopss.ultrashiftnet.surf |
| domain | apiopss.zooblob.surf |
| domain | appbox.6toralex.surf |
| domain | appboxs.9toravex.surf |
| domain | appboxs.actsdks.surf |
| domain | appboxs.digitalcloudnet.surf |
| domain | appboxs.tonmixin.surf |
| domain | appsrc.sori7xen.surf |
| domain | appsrc.sorix2el.surf |
| domain | appsrch.lorex7in.surf |
| domain | appsrch.ultrashiftnet.surf |