ingermany

ingermany is the alias of a suspected single operator linked to a live botnet operation involving SmokeLoader and Fuery. The reporting ties this operator to a shared Go 1.20.1 malware development toolchain and a distinctive obfuscation framework that disguises malware structures with Raft consensus protocol type names such as AppendEntries, VoteRequest, and LogEntry; related analysis also notes VP8/VP9-themed cover structures in Fuery. Static analysis linked a Fuery sample and a related SmokeLoader variant to the same developer, and one report attributes the operator to the handle ingermany, identifying the persona as "German Ingrmen" in Krasnodar, Russia based on exposed WHOIS and SOA data; the same reporting assesses that identity as likely fabricated but internally consistent. The actor operated SmokeLoader infrastructure using domains including coox.live, baxe.pics, and ropea.top. SmokeLoader used split command-and-control functions across non-standard high ports, including TCP beaconing to coox.live:28313 and HTTP multipart/form-data exfiltration to baxe.pics:48261. Sandbox analysis of the linked sample showed credential theft from browsers, theft of email client data, cryptocurrency wallet access, and software and process enumeration. Researchers identified a live Flask-based C2 panel on coox.live masquerading as an insurance SaaS platform called "InsureFlow Pro," with an exposed unauthenticated /admin dashboard and /healthz endpoint, along with multiple OPSEC and implementation weaknesses. Certificate and hosting history linked botmind-sa.com, baxe.pics, coox.live, ropea.top, forestoaker.com, and oahgsfwklg.top within the operator’s infrastructure history. The same operator was also linked to Fuery infrastructure centered on laf.oahgsfwklg.top at 178.16.54.79, using an nginx/PHP/Laravel-based panel named "Monkey." Fuery used POST requests to single-letter endpoints such as /t, /s, /c, /f, and /v, and downloaded outdated OpenSSL DLLs to enable SMTP exfiltration via Gmail over port 465. Separate static analysis describes Fuery as a garble-obfuscated Go implant delivered by the Amadey botnet in campaign fbf543 and masquerading as volunteers.exe. Fuery supports process injection via thread context hijacking, host reconnaissance, file operations, anti-analysis checks, and raw WinSock-based communications. The reporting also notes that the Fuery C2 shared a /24 subnet with known Phorpiex infrastructure on OMEGATECH LTD, suggesting either shared bulletproof hosting or possible operational overlap. Known aliases and identifiers directly mentioned in the reporting include ingermany, German Ingrmen, and the organization string ingermany. The reporting further concludes this actor is likely distinct from CERT-UA’s UAC-0006 based on registrar, hosting, and targeting differences.