{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ek_clearfake/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["imminentrat","ek_clearfake","malware","rat","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief is based on Maltrail IOCs published on 2026-05-06, highlighting potential malicious activity related to two distinct campaigns: EK_ClearFake and ImminentRAT. The EK_ClearFake campaign involves a large number of newly registered domains, often using similar naming patterns and hosting various fake services. ImminentRAT indicators include a specific IP address and a few domains resolving to it. These indicators may represent command-and-control infrastructure, malware distribution points, or phishing sites. Defenders should investigate network traffic and DNS queries for these IOCs to identify potentially compromised systems or ongoing attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis attack chain is inferred based on the nature of the identified IOCs and common attack patterns associated with RATs and fake services.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e User visits a compromised website or falls victim to a social engineering attack (e.g., phishing email).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery:\u003c/strong\u003e Malicious payload (e.g., ImminentRAT installer) is delivered to the victim\u0026rsquo;s machine via drive-by download or as an attachment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInstallation:\u003c/strong\u003e The ImminentRAT malware is installed on the victim\u0026rsquo;s system, establishing persistence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The ImminentRAT malware connects to the C2 server (79.130.189.207 or trojandev.ddns.net) to receive instructions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The malware attempts to escalate privileges on the compromised system to gain higher-level access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Sensitive data is stolen from the victim\u0026rsquo;s system and transmitted to the attacker\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Attackers use the compromised system as a launchpad to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinal Objective:\u003c/strong\u003e The ultimate goal could include data theft, financial fraud, espionage, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eFor EK_ClearFake, the domains are likely used in phishing or scams, attempting to steal credentials or lure victims into fraudulent transactions.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to data breaches, financial loss, reputational damage, and system compromise. If ImminentRAT is successfully deployed, attackers could gain complete control over the infected system, enabling them to steal sensitive information, install additional malware, or use the system as a bot in a larger attack. The EK_ClearFake domains may be used in phishing campaigns, leading to credential theft and account compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic and DNS queries for connections to the IOCs listed in this brief, including the ImminentRAT IP address \u003ccode\u003e79.130.189.207\u003c/code\u003e and domains such as \u003ccode\u003etrojandev.ddns.net\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains associated with ImminentRAT (\u003ccode\u003etrojandev.ddns.net\u003c/code\u003e, \u003ccode\u003etrojandev.servehttp.com\u003c/code\u003e, \u003ccode\u003etrojandev2.servehttp.com\u003c/code\u003e, \u003ccode\u003etrojandev20.servehttp.com\u003c/code\u003e) at the DNS resolver.\u003c/li\u003e\n\u003cli\u003eImplement web filtering to block access to the domains associated with EK_ClearFake (e.g., \u003ccode\u003enanobanano.baby\u003c/code\u003e, \u003ccode\u003e1dorelax.surf\u003c/code\u003e, etc.)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ImminentRAT C2 Beacon\u003c/code\u003e to your SIEM to identify potential ImminentRAT infections.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect EK_ClearFake Domain Access\u003c/code\u003e to your SIEM to identify potential phishing attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:12Z","date_published":"2026-05-06T12:00:12Z","id":"/briefs/2026-05-maltrail-iocs/","summary":"This brief covers newly published Maltrail IOCs, including domains associated with EK_ClearFake and an IP address and domains associated with ImminentRAT, potentially indicating ongoing malicious activity.","title":"Maltrail IOCs for ImminentRAT and EK_ClearFake Campaigns","url":"https://feed.craftedsignal.io/briefs/2026-05-maltrail-iocs/"}],"language":"en","title":"CraftedSignal Threat Feed — Ek_clearfake","version":"https://jsonfeed.org/version/1.1"}