You've Been Exposed

Threat Actor Fully Identified & Reported

⚠ Notice to the Attacker

Your entire operation has been forensically analyzed, documented, and reported to the relevant authorities and hosting providers. Every backdoor, every binary, every cron job, every IP address — we have it all. This page now sits where your malware used to be.

🔎 Collected Evidence

C2 Servers Identified
j.sjzgyw.com • jump.app-test.cc • aa.u4i2o6p.makeup • aagame.fun
SEO cloaking command & control infrastructure — fully mapped and reported
GSSocket Reverse Shell
gs-netcat via gs.thc.org • Port 22 SSH Tunnel
Binary: [kstrp] — SHA256: d94f75a70b5cabaf...bcfa • Secret keys recovered
Cryptominer Binary
lib-update (XMRig/Go) • UPX 4.22 packed
SHA256: 601ffcb1407b5426...88e6 • Mining pools: Azure:4444, Google:44445, Greece:55558
SSH Backdoor Key
mega@DESKTOP-2OII6D4 (RSA-3072)
Planted: April 17, 2026 01:32 UTC — removed and logged
🏳 Attacker IP Addresses — Fully Deanonymized
Bogor, West Java, Indonesia • CV Andhika Pratama Sanggoro / CV Mico Digital
IP AddressLocationTypeISP / Organization
157.66.54.26 Bogor, West Java, Indonesia ★ REAL IP CV Andhika Pratama Sanggoro
157.66.54.6 Bogor, West Java, Indonesia Same Network CV Mico Digital Indonesia
157.66.54.30 Bogor, West Java, Indonesia Same Network CV Mico Digital Indonesia
157.66.54.106 Bogor, West Java, Indonesia Hosting webhostingindonesia.co.id
157.66.54.162 Bogor, West Java, Indonesia Proxy CV Mico Digital Indonesia
45.80.187.39 Hong Kong / Vietnam (VPN exit) VPN — PacketHub Identified in 19 seconds flat
45.132.255.10 Moscow, Russia cPanel Intrusion First Server Limited • AS205090
📍 Primary operator located in Bogor, West Java, Indonesia. VPN failed. Real IP logged. Russian proxy also identified.
Malware Artifacts Recovered
web.log • .cache.session.php • .cache_key • hex mu-plugins • P1p1.php • .fontcache-v4 • wp-info-*.php • media.dist • class-wp-locale-textdomain.php
All file hashes, timestamps, and deployment patterns documented

📅 Your Activity Timeline

Sep 2025
cPanel access from 45.132.255.10 (Moscow) — initial compromise
Apr 2, 2026
First backdoor deployment: P1p1.php in sodium_compat
Apr 7, 2026
Cryptominer lib-update deployed to 49 servers
Apr 8, 2026
SEO cloaking web.log deployed — Vietnamese gambling redirects
Apr 17, 2026
SSH key mega@DESKTOP-2OII6D4 planted after first cleanup attempt
Apr 22, 2026
GSSocket gs-dbus reverse shell deployed (timestomped to 2012)
May 10, 2026
Today — upgraded to [kstrp] GSSocket. All malware removed. This page deployed.

⚠ Final Warning

All evidence has been preserved and submitted to CERT teams, hosting abuse departments, and law enforcement channels. Your infrastructure fingerprints (C2 domains, binary hashes, SSH keys, IP addresses, operational patterns) are now in shared threat intelligence feeds.

If you attempt to re-compromise these systems, you will be providing additional evidence that strengthens the case against you. Walk away.

🇮🇩 Peringatan untuk Pelaku (Bahasa Indonesia)

Seluruh operasi Anda telah dianalisis secara forensik, didokumentasikan, dan dilaporkan kepada pihak berwenang dan penyedia hosting terkait. Setiap backdoor, setiap binary, setiap cron job, setiap alamat IP — kami memiliki semuanya.

Bukti digital yang kami kumpulkan meliputi: server C2 Anda (j.sjzgyw.com, jump.app-test.cc, aagame.fun), binary cryptominer (lib-update, [kstrp]), kunci SSH yang Anda tanam (mega@DESKTOP-2OII6D4), dan alamat IP asli Anda:

157.66.54.26 — IP Asli — Bogor, Jawa Barat, Indonesia — CV Andhika Pratama Sanggoro
157.66.54.6 / 157.66.54.30 / 157.66.54.162 — Jaringan yang sama — CV Mico Digital Indonesia
157.66.54.106 — Hosting — webhostingindonesia.co.id
45.80.187.39 — VPN (PacketHub, Hong Kong) — teridentifikasi dalam 19 detik
45.132.255.10 — Proxy Rusia — First Server Limited, Moskow

Jika Anda mencoba menyerang sistem ini lagi, Anda hanya akan menambah bukti yang memperkuat kasus hukum terhadap Anda. Berhentilah sekarang.

Incident Response • Forensic Analysis Complete • Case #WPJS1-2026-0510

Evidence Package SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

This page is monitored. Any tampering will be logged and added to the evidence file.

⚠ EXPOSED - Threat Actor Identified

You've Been Exposed

Threat Actor Fully Identified & Reported

⚠ Notice to the Attacker

Your entire operation has been forensically analyzed, documented, and reported to the relevant authorities and hosting providers. Every backdoor, every binary, every cron job, every IP address — we have it all. This page now sits where your malware used to be.

🔎 Collected Evidence

C2 Servers Identified
j.sjzgyw.com • jump.app-test.cc • aa.u4i2o6p.makeup • aagame.fun
SEO cloaking command & control infrastructure — fully mapped and reported
GSSocket Reverse Shell
gs-netcat via gs.thc.org • Port 22 SSH Tunnel
Binary: [kstrp] — SHA256: d94f75a70b5cabaf...bcfa • Secret keys recovered
Cryptominer Binary
lib-update (XMRig/Go) • UPX 4.22 packed
SHA256: 601ffcb1407b5426...88e6 • Mining pools: Azure:4444, Google:44445, Greece:55558
SSH Backdoor Key
mega@DESKTOP-2OII6D4 (RSA-3072)
Planted: April 17, 2026 01:32 UTC — removed and logged
🏳 Attacker IP Addresses — Fully Deanonymized
Bogor, West Java, Indonesia • CV Andhika Pratama Sanggoro / CV Mico Digital
IP AddressLocationTypeISP / Organization
157.66.54.26 Bogor, West Java, Indonesia ★ REAL IP CV Andhika Pratama Sanggoro
157.66.54.6 Bogor, West Java, Indonesia Same Network CV Mico Digital Indonesia
157.66.54.30 Bogor, West Java, Indonesia Same Network CV Mico Digital Indonesia
157.66.54.106 Bogor, West Java, Indonesia Hosting webhostingindonesia.co.id
157.66.54.162 Bogor, West Java, Indonesia Proxy CV Mico Digital Indonesia
45.80.187.39 Hong Kong / Vietnam (VPN exit) VPN — PacketHub Identified in 19 seconds flat
45.132.255.10 Moscow, Russia cPanel Intrusion First Server Limited • AS205090
📍 Primary operator located in Bogor, West Java, Indonesia. VPN failed. Real IP logged. Russian proxy also identified.
Malware Artifacts Recovered
web.log • .cache.session.php • .cache_key • hex mu-plugins • P1p1.php • .fontcache-v4 • wp-info-*.php • media.dist • class-wp-locale-textdomain.php
All file hashes, timestamps, and deployment patterns documented

📅 Your Activity Timeline

Sep 2025
cPanel access from 45.132.255.10 (Moscow) — initial compromise
Apr 2, 2026
First backdoor deployment: P1p1.php in sodium_compat
Apr 7, 2026
Cryptominer lib-update deployed to 49 servers
Apr 8, 2026
SEO cloaking web.log deployed — Vietnamese gambling redirects
Apr 17, 2026
SSH key mega@DESKTOP-2OII6D4 planted after first cleanup attempt
Apr 22, 2026
GSSocket gs-dbus reverse shell deployed (timestomped to 2012)
May 10, 2026
Today — upgraded to [kstrp] GSSocket. All malware removed. This page deployed.

⚠ Final Warning

All evidence has been preserved and submitted to CERT teams, hosting abuse departments, and law enforcement channels. Your infrastructure fingerprints (C2 domains, binary hashes, SSH keys, IP addresses, operational patterns) are now in shared threat intelligence feeds.

If you attempt to re-compromise these systems, you will be providing additional evidence that strengthens the case against you. Walk away.

🇮🇩 Peringatan untuk Pelaku (Bahasa Indonesia)

Seluruh operasi Anda telah dianalisis secara forensik, didokumentasikan, dan dilaporkan kepada pihak berwenang dan penyedia hosting terkait. Setiap backdoor, setiap binary, setiap cron job, setiap alamat IP — kami memiliki semuanya.

Bukti digital yang kami kumpulkan meliputi: server C2 Anda (j.sjzgyw.com, jump.app-test.cc, aagame.fun), binary cryptominer (lib-update, [kstrp]), kunci SSH yang Anda tanam (mega@DESKTOP-2OII6D4), dan alamat IP asli Anda:

157.66.54.26 — IP Asli — Bogor, Jawa Barat, Indonesia — CV Andhika Pratama Sanggoro
157.66.54.6 / 157.66.54.30 / 157.66.54.162 — Jaringan yang sama — CV Mico Digital Indonesia
157.66.54.106 — Hosting — webhostingindonesia.co.id
45.80.187.39 — VPN (PacketHub, Hong Kong) — teridentifikasi dalam 19 detik
45.132.255.10 — Proxy Rusia — First Server Limited, Moskow

Jika Anda mencoba menyerang sistem ini lagi, Anda hanya akan menambah bukti yang memperkuat kasus hukum terhadap Anda. Berhentilah sekarang.

Incident Response • Forensic Analysis Complete • Case #WPJS1-2026-0510

Evidence Package SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

This page is monitored. Any tampering will be logged and added to the evidence file.