calipology

calipology is a threat actor handle identified in reporting on a cybercrime campaign involving a trojanized Microsoft Teams installer (MSTeamsSetup.exe) that deploys a weaponized RustDesk remote access client. Breakglass Intelligence linked the actor to command-and-control infrastructure at mon.systemautoupdater[.]com and 23.27.141[.]44, and assessed this infrastructure overlap as confirmation that the previously identified GeorgeGinx/Striker operator expanded from Striker C2 framework operations into signed trojanized software distribution for financially motivated intrusion activity. The attribution is based on shared EvoXT hosting, a TLS certificate for calipology[.]com presented by 23.27.141[.]44, and overlap with the "calipology" Telegram attribution from the earlier Striker investigation. The infrastructure redirected HTTPS traffic to calipology[.]co[.]uk, described in the reporting as a legitimate UK brake caliper refurbishment business that may represent the operator’s real-world identity or cover. The malware sample was signed with a suspicious Certum-issued code-signing certificate for "Zlatin Stamatov," assessed in the report as likely stolen or fraudulently obtained. Investigators also observed multiple exposed services on the C2 server, including FTP, SSH, Apache, nginx, and a Python-hosted "Trading Bots Management" panel on port 3004, suggesting broader criminal activity beyond remote access malware distribution. Known associated aliases or linked designations directly mentioned in the content are GeorgeGinx and Striker.