Listen to this Post
:
In the ever-evolving world of cybercrime, new and emerging threats surface regularly, with various actors exploiting the anonymity and vast infrastructure of the internet to carry out malicious activities. One such individual, identified as ‘Coquettte,’ has been linked to a series of cyberattacks and illicit online activities. This hacker, whose relatively low-level cyber skills belie their disturbing involvement in criminal acts, has been utilizing a bulletproof hosting provider to distribute malware and even sell illegal substance manufacturing guides. This article delves into the activities of Coquettte and examines their online presence, revealing a glimpse into the workings of amateur cybercriminals and their growing digital infrastructure.
Summary:
A relatively new and low-skilled cyber threat actor, known as ‘Coquettte,’ has been discovered distributing malware under the guise of legitimate software. Coquettte’s operations were uncovered by DomainTools researchers who were investigating malicious domains hosted by Proton66, a Russian bulletproof hosting provider that is notorious for enabling cybercrime by ignoring abuse complaints.
The first discovery came through a website, cybersecureprotect[.]com, which appeared to offer antivirus software called ‘CyberSecure Pro,’ but instead distributed the Rugmi malware loader. When analyzed, it was revealed that the site was a front for distributing malware, with a compressed zip file containing a Windows Installer that dropped the Rugmi malware when executed. The malware would then download additional payloads from Coquettte-controlled servers. Rugmi is a modular malware loader used by cybercriminals to distribute infostealers, trojans, and ransomware, making it a versatile tool for various cybercrime activities.
DomainTools also uncovered other illicit activities tied to Coquettte, including a website that provided guides for manufacturing illegal substances such as methamphetamine and explosives. The website, meth[.]to, offered step-by-step instructions for creating dangerous substances and devices, though its authenticity in providing effective guides has not been verified.
Further investigation into Coquettte revealed their association with a hacking collective called Horrid. The collective shares infrastructure across multiple domains involved in illicit activities. Coquettte’s presence is also spread across several online platforms, such as a personal GitHub repository, YouTube channel, and Last.fm profile, which hints at a larger cybercriminal network. Additionally, Coquettte appears to be a young individual, possibly a student, which explains some of the amateurish mistakes made in their cybercrimes, like the open directory containing malware.
The discovery of Coquettte sheds light on a growing trend of low-skilled, yet effective, cybercriminals who use bulletproof hosting to carry out their operations with impunity. Proton66, the hosting provider enabling Coquettte’s activities, continues to be a hub for various illicit actions due to its refusal to take down malicious content.
What Undercode Says:
Coquettte’s activities are a case study of the dangers posed by bulletproof hosting providers and the increasing number of young, opportunistic cybercriminals entering the field. Unlike highly skilled hackers, Coquettte is an example of an amateur who has managed to leverage an infrastructure meant to evade detection, which is typical of the “low-skill” hacker archetype. The reliance on Proton66—a Russian hosting provider that has a history of enabling cybercriminal activity—makes this case all the more concerning. Providers like Proton66 allow such actors to continue their operations without fear of consequences, thereby fostering an environment where crimes can proliferate with minimal risk.
What stands out is the use of ‘CyberSecure Pro’ as a façade to distribute the Rugmi malware. This tactic is particularly deceptive, as it exploits users’ trust in antivirus solutions. Cybercriminals often mask their malware under the guise of legitimate software to increase the likelihood of it being downloaded and executed by unsuspecting victims. The fact that the website was hosted on Proton66, which notoriously ignores abuse complaints, enabled Coquettte to distribute the malware without any significant interference.
Moreover, Coquettte’s side ventures—such as distributing illegal guides for manufacturing drugs and explosives—demonstrate how cybercriminals are diversifying their portfolios. Coquettte’s activities extend beyond malware into the realm of providing illicit knowledge to anyone interested in illegal operations. While the authenticity of the guides is unclear, the mere presence of such material highlights the increasing use of the internet as a platform for dangerous, unlawful instructions.
Additionally, the connection to the Horrid hacker collective suggests that Coquettte is not working alone. The group shares a digital footprint across multiple domains, reinforcing the idea that Coquettte is part of a wider network of cybercriminals. This collective approach is not unique to Coquettte and is often seen in other cybercriminal activities, where actors share resources, tools, and techniques to broaden their impact.
The amateurish mistakes, such as Coquettte’s open directory, indicate a lack of experience in opsec (operational security). These mistakes are common among newer hackers, but they also provide valuable insights into the early stages of a hacker’s learning curve. The personal website, which once displayed a message stating Coquettte was an 18-year-old pursuing a computer science degree, further reinforces the idea that cybercrime is attracting a younger generation of hackers. They are likely driven by curiosity, financial motivations, or even a desire to learn and experiment, but their actions still pose a significant threat to internet security and safety.
While Coquettte may seem like an isolated incident, their activities are part of a broader trend where low-skilled hackers are gaining access to powerful tools and infrastructures. As more cybercriminals join the ranks of bulletproof hosting providers, the global threat landscape will only become more complicated. Law enforcement and security researchers must adapt to these evolving threats by focusing on the infrastructure that supports cybercrime and tackling it at its roots.
Fact Checker Results:
- The claims regarding Coquettte’s association with Proton66 were verified by DomainTools through direct links between the malware sites and the C2 server.
- The existence of meth[.]to and its content related to illicit activities is based on investigation by DomainTools; however, the authenticity of the guides remains unverified.
3.
References:
Reported By: https://www.infosecurity-magazine.com/news/coquettte-hacker-malware-bph/
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





