xssNew

xssNew is a cybercrime actor identified as the operator of NET_SCAN, a fully operational cybercrime-as-a-service (CaaS) platform. The actor is described in the source content as an XSS.is forum Premium member since July 2022 and used the Telegram handle @NET_SCAN_Admin, with additional bots @NET_SCAN_bot and @netscan_bot. The content links xssNew to both netscan[.]info and the WordPress-focused spinoff wpmagic[.]net through shared infrastructure and source-code artifacts. According to the provided reporting, NET_SCAN offered modules and services for WordPress exploitation, bulk WordPress credential checking, code injection, remote shell access, AWS, cPanel, and SSH credential theft, sensitive file scanning, database operations, email spoofing, SMS fraud, bulk email campaigns, AI phishing email generation, Telegram and WhatsApp automation, Telerik exploit DLL generation, text-to-speech, and cryptomining. The WP Magic Button component supported four WordPress injection methods: Theme Editor, File Manager, Plugin Editor, and Plugin Loading, and classified outcomes as Good, Injected, NoPlugin, or Bad Clone Missed. The content states that unauthenticated API endpoints on netscan[.]info exposed stolen SMS and SMTP credentials, provider statistics, discovered databases, scanner logs, and a full miner installation script. The cryptomining capability used a custom Go binary named multimmm-user, bundled XMRig for Monero mining, persisted via a systemd service named multimmm-user.service, and communicated with a WebSocket C2 at wss://netscan[.]info/api/miners/ws/agent. The reporting also notes that xssNew advertised "Magic Button - Project from the Net Scan" on XSS.is with multiple pricing tiers. The actor is associated in the content only with cybercrime activity; no nation-state attribution is stated. Known alias in the provided content: xssnew.