Back

Global JS Malware Campaign Leveraging GHOSTYNETWORKS and OMEGATECH Hosting

Severity: High (Score: 66.5)

Sources: Cybersecuritynews, Gbhackers

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: hackers, ghostynetworks, omegatech, malware, host, infrastructure, march

Severity indicators: malware

Summary

In March 2026, hackers exploited GHOSTYNETWORKS and OMEGATECH to deploy a JavaScript backdoor via malspam targeting various sectors, including energy and finance. The operation involved sending malicious emails with ZIP or RAR attachments containing the malware. Organizations across multiple countries were affected, indicating a wide scope of impact. The infrastructure used is designed to evade detection and maintain persistence. This campaign highlights the ongoing threat posed by bulletproof hosting services in facilitating cybercrime. Current status indicates ongoing malspam activity without immediate remediation steps reported. Key Points: • Hackers used GHOSTYNETWORKS and OMEGATECH for a large-scale JS malware campaign. • Malicious emails delivered a JavaScript backdoor to critical sectors like energy and finance. • The operation's infrastructure is designed to evade detection and sustain long-term attacks.

Detailed Analysis

**Impact** Organizations across multiple sectors including energy, finance ministries, automotive, and government finance were targeted in a global campaign. The attack affected entities in multiple countries, with malspam waves delivering JavaScript backdoors via ZIP or RAR attachments. The campaign risked operational disruption and potential data compromise through business email compromise and backdoor access. **Technical Details** The attack vector involved malspam emails containing ZIP or RAR attachments with JavaScript backdoors. Threat actors leveraged bulletproof hosting providers GHOSTYNETWORKS and OMEGATECH to host the malware infrastructure. No specific CVEs or additional IOCs were provided in the articles. The campaign focused on initial access and persistence stages of the kill chain. **Recommended Response** Defenders should prioritize blocking and monitoring email attachments with suspicious JavaScript content, especially ZIP and RAR files. Network defenses should include blocking traffic to and from GHOSTYNETWORKS and OMEGATECH hosting IPs if possible. Organizations should enhance email filtering and user awareness for malspam campaigns. No patching information was provided; monitoring for unusual backdoor activity is advised.

Source articles (2)

  • Hackers Host JS Malware on GHOSTYNETWORKS and OMEGATECH — Gbhackers · 2026-05-28
    Hackers are abusing two bulletproof hosting providers, GHOSTYNETWORKS and OMEGATECH, to run a global JavaScript (JS) malware infrastructure that powers large‑scale malspam and business email compromis…
  • Hackers Use GHOSTYNETWORKS and OMEGATECH to Host JS Malware Infrastructure — Cybersecuritynews · 2026-05-28
    In March 2026, a wave of malicious spam emails began hitting inboxes across multiple countries and industries. Threat actors were quietly distributing a JavaScript-coded backdoor, targeting organizati…

Timeline

  • 2026-03-01 — Malspam campaign initiated: Hackers began distributing malicious emails with JS backdoors targeting various sectors globally.
  • 2026-03-15 — Widespread impact reported: Organizations in energy, automotive, and finance sectors reported successful infections from the malspam campaign.
  • 2026-05-28 — Current status update: As of today, the malspam campaign continues with no reported remediation measures in place.

Related entities

  • Ghostynetworks (Apt Group)
  • Omegatech (Apt Group)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Automotive (Industry)
  • Energy (Industry)
  • Government (Industry)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed