JS Backdoor Campaign Targets Energy, Auto, and Finance Sectors via GHOSTYNETWORKS and OMEGATECH Bulletproof Hosting

In March 2026, a wave of malicious spam emails began hitting inboxes across multiple countries and industries. Threat actors were quietly distributing a JavaScript-coded backdoor, targeting organizations in sectors as critical as energy, automotive, and government finance. The scale of the operation was wide, and the infrastructure behind it was carefully selected to stay under the radar.

The campaign was not a random scatter-shot attack. Targets included a major Ukrainian FMCG holding, a Russian oil-refining enterprise, automotive groups in Poland and Germany, and the Ministry of Finance of Transnistria. A second wave in April 2026 extended the reach further, hitting more financially sensitive institutions. The consistent targeting of finance-related organizations strongly points to one goal: money.

Researchers at Intrinsec said in a report shared with Cyber Security News (CSN) that their CTI team tracked these campaigns closely and uncovered the bulletproof hosting infrastructure powering them. Their investigation revealed two key autonomous systems, GHOSTYNETWORKS and OMEGATECH, being used to route both the spam-sending IPs and the command-and-control servers for the malware. The operation had been running in some form since at least mid-2025.

The JavaScript backdoor was heavily obfuscated and delivered as a file hidden inside ZIP or RAR archives attached to phishing emails. Once a victim executed the file, the malware sent system information back to its command-and-control server using non-standard ports, making detection much harder. The backdoor assigned a unique identifier to every infected machine and maintained persistent communication with its handlers.

The infrastructure behind these campaigns is what makes this case especially notable. GHOSTYNETWORKS, operating as AS205759 and registered in Kentucky in January 2026, hosted one of the spam-sending IP addresses. Four of its six announced network prefixes are currently flagged as abusive by Spamhaus, which describes it as a network enabling cybercrime operations across the globe. Intrinsec linked GHOSTYNETWORKS with high confidence to a now-defunct network called OPTIBOUNCE, also registered in Kentucky and previously tied to AnonRDP, a well-documented bulletproof hosting provider. The same organizing name, Daniel Mishayev, appears across multiple Kentucky-registered companies, each associated with a network consistently flagged for abusive content.

OMEGATECH (AS202412), based in the Seychelles, hosted the JavaScript backdoor's command-and-control domain along with a second spam-sending domain. Spamhaus identifies it as yet another front for Virtualine, a Russia-based bulletproof provider advertised on underground criminal forums. Honeypots logged more than 642,000 network hits from OMEGATECH IPs during March 2026, showing just how heavily this network is exploited for malicious purposes.

The financial motive behind these campaigns aligns with a well-established and growing threat pattern. The FBI reported over $3 billion in business email compromise losses in 2025 alone. Attackers are increasingly targeting organizations with weaker defenses, such as finance ministries of smaller nations, where limited budgets and less mature email controls make them far easier to compromise.

Intrinsec recommends that organizations block JavaScript-related file types such as .js, .jse, and .mjs attachments, along with ZIP, ISO, and RAR containers that may carry embedded scripts. Enforcing application controls to prevent wscript and cscript execution outside trusted paths adds another important layer. Deploying advanced email security gateways to detect and filter phishing emails containing malicious attachments is also strongly advised. Blocking network prefixes tied to known bulletproof hosting autonomous systems at the firewall level remains one of the most efficient ways to stop malicious traffic from reaching internal systems.