GeorgeGinx

GeorgeGinx is a likely financially motivated cybercrime operator, assessed in the cited reporting as an intermediate-level solo actor or small team running hands-on-keyboard intrusion tooling with weak operational security. The actor is directly linked to Striker C2 infrastructure and a bespoke command-and-control environment branded "GeorgeGinx Panel." Known aliases and identifiers in the provided content include GeorgeGinx, Striker (as the associated C2 framework/operator context), the Telegram-linked handle "calipology," and the Telegram handle @georgeknowsit shown in the GeorgeGinx login page as "Geroge knows." The reporting ties GeorgeGinx to EvoXT-hosted infrastructure in New York City, especially 23.27.141.44 and 23.27.141.46. On 23.27.141.44, investigators identified a Striker C2 deployment whose frontend on port 3004 was disguised as "Trading Bots Management" and whose backend ran over Socket.IO on port 3003. The Striker bundle exposed functionality for agent management, interactive shell access, tasking, file operations, redirectors, auth keys, team chat, user management, and logging, with token-based authentication in the Socket.IO handshake. On 23.27.141.46, investigators found a Flask-based panel explicitly branded "GeorgeGinx Panel," with a custom Go backend on port 1337 and a custom DNS listener on UDP 53. The two servers were assessed with high confidence as operated by the same actor. The actor was also linked to a trojanized software distribution campaign involving MSTeamsSetup.exe, a fake Microsoft Teams installer first seen on MalwareBazaar on 2026-04-08. According to the reporting, the sample delivered a weaponized RustDesk remote access client and used mon.systemautoupdater[.]com as active command-and-control, resolving to 23.27.141[.]44. The infrastructure overlap between mon.systemautoupdater[.]com, the EvoXT-hosted Striker server, and certificates tied to calipology[.]com was assessed as confirmation that the GeorgeGinx/Striker operator had expanded into signed trojanized software distribution. Infrastructure associated with the actor includes calipology[.]com, which the reporting assessed as actor-controlled with high confidence. The server at 23.27.141[.]44 presented a TLS certificate for calipology[.]com and redirected HTTPS traffic to calipology[.]co[.]uk, described in the reporting as a legitimate UK brake caliper refurbishment business. The content states that this relationship may indicate either shared ownership overlap or impersonation for cover; the legitimate .co.uk site is treated as an investigative pivot rather than confirmed malicious infrastructure. The campaign also used a suspicious code-signing certificate issued by Certum to "Zlatin Stamatov" to sign the trojanized MSTeamsSetup.exe. The reporting assessed that certificate as likely stolen or fraudulently obtained. Additional exposed services on the actor infrastructure included FTP, SSH, Apache, nginx, Python SimpleHTTP, CUPS, and the "Trading Bots Management" application, suggesting broader criminal activity beyond remote access malware distribution, including possible crypto trading fraud or bot management activity. The reporting mapped the activity to ATT&CK techniques including T1071.001, T1090, T1059, T1041, T1105, T1036.005, and T1036.004.