Ek_clearfake — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/ek_clearfake/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 06 May 2026 12:00:12 +0000Maltrail IOCs for ImminentRAT and EK_ClearFake Campaignshttps://feed.craftedsignal.io/briefs/2026-05-maltrail-iocs/Wed, 06 May 2026 12:00:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-maltrail-iocs/This brief covers newly published Maltrail IOCs, including domains associated with EK_ClearFake and an IP address and domains associated with ImminentRAT, potentially indicating ongoing malicious activity.This threat brief is based on Maltrail IOCs published on 2026-05-06, highlighting potential malicious activity related to two distinct campaigns: EK_ClearFake and ImminentRAT. The EK_ClearFake campaign involves a large number of newly registered domains, often using similar naming patterns and hosting various fake services. ImminentRAT indicators include a specific IP address and a few domains resolving to it. These indicators may represent command-and-control infrastructure, malware distribution points, or phishing sites. Defenders should investigate network traffic and DNS queries for these IOCs to identify potentially compromised systems or ongoing attacks.

Attack Chain

This attack chain is inferred based on the nature of the identified IOCs and common attack patterns associated with RATs and fake services.

  1. Initial Access: User visits a compromised website or falls victim to a social engineering attack (e.g., phishing email).
  2. Delivery: Malicious payload (e.g., ImminentRAT installer) is delivered to the victim’s machine via drive-by download or as an attachment.
  3. Installation: The ImminentRAT malware is installed on the victim’s system, establishing persistence.
  4. Command and Control: The ImminentRAT malware connects to the C2 server (79.130.189.207 or trojandev.ddns.net) to receive instructions.
  5. Privilege Escalation: The malware attempts to escalate privileges on the compromised system to gain higher-level access.
  6. Data Exfiltration: Sensitive data is stolen from the victim’s system and transmitted to the attacker’s infrastructure.
  7. Lateral Movement: Attackers use the compromised system as a launchpad to move laterally within the network, compromising additional systems.
  8. Final Objective: The ultimate goal could include data theft, financial fraud, espionage, or disruption of services.

For EK_ClearFake, the domains are likely used in phishing or scams, attempting to steal credentials or lure victims into fraudulent transactions.

Impact

Successful exploitation can lead to data breaches, financial loss, reputational damage, and system compromise. If ImminentRAT is successfully deployed, attackers could gain complete control over the infected system, enabling them to steal sensitive information, install additional malware, or use the system as a bot in a larger attack. The EK_ClearFake domains may be used in phishing campaigns, leading to credential theft and account compromise.

Recommendation

  • Monitor network traffic and DNS queries for connections to the IOCs listed in this brief, including the ImminentRAT IP address 79.130.189.207 and domains such as trojandev.ddns.net.
  • Block the C2 domains associated with ImminentRAT (trojandev.ddns.net, trojandev.servehttp.com, trojandev2.servehttp.com, trojandev20.servehttp.com) at the DNS resolver.
  • Implement web filtering to block access to the domains associated with EK_ClearFake (e.g., nanobanano.baby, 1dorelax.surf, etc.)
  • Deploy the Sigma rule Detect ImminentRAT C2 Beacon to your SIEM to identify potential ImminentRAT infections.
  • Deploy the Sigma rule Detect EK_ClearFake Domain Access to your SIEM to identify potential phishing attempts.
]]>mediumadvisoryimminentratek_clearfakemalwareratphishing